From lists at chrispoole.com Sat Jul 2 21:37:51 2011
From: lists at chrispoole.com (Chris Poole)
Date: Sat, 2 Jul 2011 20:37:51 +0100
Subject: Change key prefs; few questions
Message-ID: <8C71EFB9-6B22-42AC-92FA-0B414187F584@chrispoole.com>
Hi,
I changed the order of preferred ciphers and hash functions using setpref. My public key has changed, but not the fingerprint.
Is the done thing now to ask anyone with the key to pull the latest version? (I've already updated the keyserver version.)
Thanks
From dshaw at jabberwocky.com Sun Jul 3 02:38:33 2011
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat, 2 Jul 2011 20:38:33 -0400
Subject: Change key prefs; few questions
In-Reply-To: <8C71EFB9-6B22-42AC-92FA-0B414187F584@chrispoole.com>
References: <8C71EFB9-6B22-42AC-92FA-0B414187F584@chrispoole.com>
Message-ID:
On Jul 2, 2011, at 3:37 PM, Chris Poole wrote:
> Hi,
> I changed the order of preferred ciphers and hash functions using setpref. My public key has changed, but not the fingerprint.
That is correct. Changing the various preferences does not change the fingerprint. The fingerprint remains constant no matter what you do to the key (changed/new preferences, new subkeys, new user IDs, etc).
> Is the done thing now to ask anyone with the key to pull the latest version? (I've already updated the keyserver version.)
You can ask them to update, if you like. It's up to you if the change you made to the preferred list is important enough. Some people refresh their keys periodically anyway.
David
From lists at chrispoole.com Sun Jul 3 10:37:55 2011
From: lists at chrispoole.com (Chris Poole)
Date: Sun, 3 Jul 2011 09:37:55 +0100
Subject: Change key prefs; few questions
In-Reply-To:
References: <8C71EFB9-6B22-42AC-92FA-0B414187F584@chrispoole.com>
Message-ID: <9625C6B4-76D3-409E-95C8-04E0F0D1CE1C@chrispoole.com>
Thanks.
There's no way to change the cipher used for encrypting the private key itself (CAST5 I believe)?
(Not that I would, as I'm sure the default is more than good enough for my needs.)
Also, if I understand correctly, someone trying to brute-force the key would need to guess my passphrase, then pass it through the key stretching algorithm that gpg uses, before trying to decrypt the key. How often does the "work function" defining how long the key stretching process take, get updated? (I can't find an option to make it user configurable.)
Thanks
Chris
On 3 Jul 2011, at 01:38, David Shaw wrote:
> On Jul 2, 2011, at 3:37 PM, Chris Poole wrote:
>
>> Hi,
>> I changed the order of preferred ciphers and hash functions using setpref. My public key has changed, but not the fingerprint.
>
> That is correct. Changing the various preferences does not change the fingerprint. The fingerprint remains constant no matter what you do to the key (changed/new preferences, new subkeys, new user IDs, etc).
>
>> Is the done thing now to ask anyone with the key to pull the latest version? (I've already updated the keyserver version.)
>
> You can ask them to update, if you like. It's up to you if the change you made to the preferred list is important enough. Some people refresh their keys periodically anyway.
>
> David
>
From dshaw at jabberwocky.com Sun Jul 3 16:24:15 2011
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 3 Jul 2011 10:24:15 -0400
Subject: Change key prefs; few questions
In-Reply-To: <9625C6B4-76D3-409E-95C8-04E0F0D1CE1C@chrispoole.com>
References: <8C71EFB9-6B22-42AC-92FA-0B414187F584@chrispoole.com>
<9625C6B4-76D3-409E-95C8-04E0F0D1CE1C@chrispoole.com>
Message-ID:
On Jul 3, 2011, at 4:37 AM, Chris Poole wrote:
> Thanks.
>
> There's no way to change the cipher used for encrypting the private key itself (CAST5 I believe)?
It is CAST5 by default, but you can change it. To change the cipher, you need to set the passphrase since that's when the encryption for the secret key is set. You can take the opportunity to change the passphrase, or just use the same one as before.
This will set your private key cipher to AES:
gpg --s2k-cipher-name aes --edit-key (thekey) passwd save
> Also, if I understand correctly, someone trying to brute-force the key would need to guess my passphrase, then pass it through the key stretching algorithm that gpg uses, before trying to decrypt the key. How often does the "work function" defining how long the key stretching process take, get updated? (I can't find an option to make it user configurable.)
It's configurable in the same way that changing the encryption is: you need to do it while changing the password. Add "--s2k-count XXX" to the above command line and you can set how many iterations are done. It can range from 1024 to 65011712, and the default is 65536. Note that not all possible values are legal, and if you pick an illegal value, GnuPG will round it up to the next higher legal value.
David
From expires2011 at ymail.com Sun Jul 3 16:58:07 2011
From: expires2011 at ymail.com (MFPA)
Date: Sun, 3 Jul 2011 15:58:07 +0100
Subject: Change key prefs; few questions
In-Reply-To:
References: <8C71EFB9-6B22-42AC-92FA-0B414187F584@chrispoole.com>
<9625C6B4-76D3-409E-95C8-04E0F0D1CE1C@chrispoole.com>
Message-ID: <858970447.20110703155807@my_localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi
On Sunday 3 July 2011 at 3:24:15 PM, in
, David Shaw
wrote:
> This will set your private key cipher to AES:
> gpg --s2k-cipher-name aes --edit-key (thekey) passwd
> save
Is there a reason to do this?
- --
Best regards
MFPA mailto:expires2011 at ymail.com
A candle loses nothing by lighting another candle
-----BEGIN PGP SIGNATURE-----
iQE7BAEBCgClBQJOEIOOnhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pJQ8EAJP5
JY/HMV/KguC/wT0YfBxOw1/Q9LuoTtN69s2JpQwuW3Pdz/VNskZMttQIeoNhlQGQ
pOvyN22LMuFEpFp1Kc2wGFRI00sXvCwRv44c2JLxz8qvlKaVfUKrcFIIO17YV3tL
tirA7gYwayLUE/ZZJyGS1wDQUgoasDh0eRlinM8U
=SZjq
-----END PGP SIGNATURE-----
From dshaw at jabberwocky.com Sun Jul 3 17:45:33 2011
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 3 Jul 2011 11:45:33 -0400
Subject: Change key prefs; few questions
In-Reply-To: <858970447.20110703155807@my_localhost>
References: <8C71EFB9-6B22-42AC-92FA-0B414187F584@chrispoole.com>
<9625C6B4-76D3-409E-95C8-04E0F0D1CE1C@chrispoole.com>
<858970447.20110703155807@my_localhost>
Message-ID: <165AFCE3-C523-4703-83C2-04AC7A348666@jabberwocky.com>
On Jul 3, 2011, at 10:58 AM, MFPA wrote:
> On Sunday 3 July 2011 at 3:24:15 PM, in
> , David Shaw
> wrote:
>
>
>
>> This will set your private key cipher to AES:
>
>> gpg --s2k-cipher-name aes --edit-key (thekey) passwd
>> save
>
> Is there a reason to do this?
There are some obscure edge cases where you must have a 3DES or AES encrypted private key, but for the overwhelming majority of people, no, there is no reason to do this. The default (CAST5) is quite strong (which the original poster acknowledged). It's just helpful to know what the "knobs" are to understand how something as complex as OpenPGP is put together.
David
From lists at chrispoole.com Sun Jul 3 18:15:07 2011
From: lists at chrispoole.com (Chris Poole)
Date: Sun, 3 Jul 2011 17:15:07 +0100
Subject: Change key prefs; few questions
In-Reply-To: <165AFCE3-C523-4703-83C2-04AC7A348666@jabberwocky.com>
References: <8C71EFB9-6B22-42AC-92FA-0B414187F584@chrispoole.com>
<9625C6B4-76D3-409E-95C8-04E0F0D1CE1C@chrispoole.com>
<858970447.20110703155807@my_localhost>
<165AFCE3-C523-4703-83C2-04AC7A348666@jabberwocky.com>
Message-ID:
On Sun, Jul 3, 2011 at 4:45 PM, David Shaw wrote:
> There are some obscure edge cases where you must have a 3DES or AES encrypted
> private key, but for the overwhelming majority of people, no, there is no
> reason to do this. ?The default (CAST5) is quite strong (which the original
> poster acknowledged). ?It's just helpful to know what the "knobs" are to
> understand how something as complex as OpenPGP is put together.
Exactly, it's just good to know. I won't bother changing the cipher or count,
but this leaves me with one final question:
In a few years, assuming GPUs are faster than ever, Moore's law is still on
track, and all that; should I change the number of iterations with --s2k-count?
The default 65536 is probably fine for now, but it'll certainly end up being too
slow. gpg won't do this for me, or counteract this in another way?
Thanks
Chris
From dshaw at jabberwocky.com Mon Jul 4 05:01:39 2011
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 3 Jul 2011 23:01:39 -0400
Subject: Change key prefs; few questions
In-Reply-To:
References: <8C71EFB9-6B22-42AC-92FA-0B414187F584@chrispoole.com>
<9625C6B4-76D3-409E-95C8-04E0F0D1CE1C@chrispoole.com>
<858970447.20110703155807@my_localhost>
<165AFCE3-C523-4703-83C2-04AC7A348666@jabberwocky.com>
Message-ID:
On Jul 3, 2011, at 12:15 PM, Chris Poole wrote:
> On Sun, Jul 3, 2011 at 4:45 PM, David Shaw wrote:
>> There are some obscure edge cases where you must have a 3DES or AES encrypted
>> private key, but for the overwhelming majority of people, no, there is no
>> reason to do this. The default (CAST5) is quite strong (which the original
>> poster acknowledged). It's just helpful to know what the "knobs" are to
>> understand how something as complex as OpenPGP is put together.
>
> Exactly, it's just good to know. I won't bother changing the cipher or count,
> but this leaves me with one final question:
>
> In a few years, assuming GPUs are faster than ever, Moore's law is still on
> track, and all that; should I change the number of iterations with --s2k-count?
> The default 65536 is probably fine for now, but it'll certainly end up being too
> slow. gpg won't do this for me, or counteract this in another way?
GnuPG generally has its defaults updated every now and then. While some of the new possible defaults (DSA/Elgamal keys becoming RSA/RSA, new default key sizes) do require the generation of a new key to use, others (default preferences, secret key protection, and secret key iteration count) are available to any key. Since secret key cipher and iteration count are tied to the encryption of the secret key (via the passphrase), if you just change your passphrase with that new version of GnuPG, you'll automatically pick up a new cipher and iteration count.
PGP has a clever trick to set an appropriate s2k-count without knowing anything about the various processors it will be run on: it simply figures out how many iterations it can do in 1/10 of a second (which always results in a value higher than 65536 these days), and uses that. I believe that the newer GPG (2.x) has some support for this design, but I don't recall offhand if it is using it fully yet. We should probably raise the (static) GPG 1.x count as well at some point. It's been 65536 for a long time (over a decade).
It's not unreasonable to raise your s2k-count for your secret key. If you pick a value that is too high and you find it annoying, you can always set it back down to something lower. It doesn't cause any real harm if you go too high - just wastes some of your time (which is sort of the point!) That's for secret keys, of course. More complex is sending passphrase-encrypted messages (which also have a s2k-count), where you don't know the CPU capabilities of the recipient. There was a case a year or two back where receiving an OpenPGP message with a too-high s2k-count would cause a device to hit its deadman timer since it spent so much time iterating passphrases. Someone had created the message on a fast machine (and so didn't notice the delay), and sent it to someone on a slow machine which was clobbered by it.
Of course, if you want extra security against brute forcing, even better than bumping up your s2k-count would be to just add a character or three to your passphrase.
David
From lists at chrispoole.com Mon Jul 4 08:37:05 2011
From: lists at chrispoole.com (Chris Poole)
Date: Mon, 4 Jul 2011 07:37:05 +0100
Subject: Change key prefs; few questions
In-Reply-To:
References: <8C71EFB9-6B22-42AC-92FA-0B414187F584@chrispoole.com>
<9625C6B4-76D3-409E-95C8-04E0F0D1CE1C@chrispoole.com>
<858970447.20110703155807@my_localhost>
<165AFCE3-C523-4703-83C2-04AC7A348666@jabberwocky.com>
Message-ID: <8F1FBF0D-C102-4975-9733-E741D8722BB3@chrispoole.com>
Thanks for the detailed reply.
Since --s2k-count will just affect the encryption of my private key, I'll go ahead and give myself a half second delay.
> sending passphrase-encrypted messages (which also have a s2k-count)
By this you mean symmetrically-encrypted messages, with the -c flag? So I can just use the --s2k-count flag again, to change this. Presumably it's pretty pointless to change the count for asymmetrically-encrypted messages, since the session key will be long enough to discourage any brute forcing anyway.
Cheers
Chris
On 4 Jul 2011, at 04:01, David Shaw wrote:
> On Jul 3, 2011, at 12:15 PM, Chris Poole wrote:
>
>> On Sun, Jul 3, 2011 at 4:45 PM, David Shaw wrote:
>>> There are some obscure edge cases where you must have a 3DES or AES encrypted
>>> private key, but for the overwhelming majority of people, no, there is no
>>> reason to do this. The default (CAST5) is quite strong (which the original
>>> poster acknowledged). It's just helpful to know what the "knobs" are to
>>> understand how something as complex as OpenPGP is put together.
>>
>> Exactly, it's just good to know. I won't bother changing the cipher or count,
>> but this leaves me with one final question:
>>
>> In a few years, assuming GPUs are faster than ever, Moore's law is still on
>> track, and all that; should I change the number of iterations with --s2k-count?
>> The default 65536 is probably fine for now, but it'll certainly end up being too
>> slow. gpg won't do this for me, or counteract this in another way?
>
> GnuPG generally has its defaults updated every now and then. While some of the new possible defaults (DSA/Elgamal keys becoming RSA/RSA, new default key sizes) do require the generation of a new key to use, others (default preferences, secret key protection, and secret key iteration count) are available to any key. Since secret key cipher and iteration count are tied to the encryption of the secret key (via the passphrase), if you just change your passphrase with that new version of GnuPG, you'll automatically pick up a new cipher and iteration count.
>
> PGP has a clever trick to set an appropriate s2k-count without knowing anything about the various processors it will be run on: it simply figures out how many iterations it can do in 1/10 of a second (which always results in a value higher than 65536 these days), and uses that. I believe that the newer GPG (2.x) has some support for this design, but I don't recall offhand if it is using it fully yet. We should probably raise the (static) GPG 1.x count as well at some point. It's been 65536 for a long time (over a decade).
>
> It's not unreasonable to raise your s2k-count for your secret key. If you pick a value that is too high and you find it annoying, you can always set it back down to something lower. It doesn't cause any real harm if you go too high - just wastes some of your time (which is sort of the point!) That's for secret keys, of course. More complex is sending passphrase-encrypted messages (which also have a s2k-count), where you don't know the CPU capabilities of the recipient. There was a case a year or two back where receiving an OpenPGP message with a too-high s2k-count would cause a device to hit its deadman timer since it spent so much time iterating passphrases. Someone had created the message on a fast machine (and so didn't notice the delay), and sent it to someone on a slow machine which was clobbered by it.
>
> Of course, if you want extra security against brute forcing, even better than bumping up your s2k-count would be to just add a character or three to your passphrase.
>
> David
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
From wk at gnupg.org Mon Jul 4 08:58:19 2011
From: wk at gnupg.org (Werner Koch)
Date: Mon, 04 Jul 2011 08:58:19 +0200
Subject: Change key prefs; few questions
In-Reply-To: (David
Shaw's message of "Sun, 3 Jul 2011 23:01:39 -0400")
References: <8C71EFB9-6B22-42AC-92FA-0B414187F584@chrispoole.com>
<9625C6B4-76D3-409E-95C8-04E0F0D1CE1C@chrispoole.com>
<858970447.20110703155807@my_localhost>
<165AFCE3-C523-4703-83C2-04AC7A348666@jabberwocky.com>
Message-ID: <878vseedmc.fsf@vigenere.g10code.de>
On Mon, 4 Jul 2011 05:01, dshaw at jabberwocky.com said:
> figures out how many iterations it can do in 1/10 of a second (which
> always results in a value higher than 65536 these days), and uses
> that. I believe that the newer GPG (2.x) has some support for this
> design, but I don't recall offhand if it is using it fully yet. We
We have it working since 2.0.15 and gpg2 uses it. It would be easy to
backport it to 1.4 and use it if use-agent is used (look for
agent_get_s2k_count).
We need to use a persistent process (like the agent) to do the
calibration so that it does not take too long. You may use
gpg-connect-agent 'getinfo s2k_count' /bye
to see the number of iterations.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From rjh at sixdemonbag.org Mon Jul 4 09:53:31 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 04 Jul 2011 03:53:31 -0400
Subject: Len Sassaman
Message-ID: <4E11717B.2080803@sixdemonbag.org>
Len Sassaman, a former employee of PGP (during the 1998-2001 time
period) who was also instrumental in writing the Mixmaster anonymous
remailers, died yesterday in Belgium in an apparent suicide brought on
by severe depression.
I knew Len: not as well as many, more than most. We had a conflicted
and mixed history. That said, no one who knew him could doubt his
commitment to anonymity and privacy. These issues occupied a great deal
of his time and life, and our community is stronger for his
participation in it.
/Accipe fraterno multum manantia fletu,
Atque in perpetuum, frater, ave atque vale./
-- Catullus
From marcus.brinkmann at ruhr-uni-bochum.de Mon Jul 4 19:05:40 2011
From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann)
Date: 4 Jul 2011 19:05:40 +0200
Subject: [Announce] libassuan 2.0.2 released
Message-ID: <4E11F2E4.7030902@ruhr-uni-bochum.de>
Hi,
libassuan 2.0.2 is a minor release of libassuan. It provides a
shared library which is a dependency of of the upcoming versions of GPGME,
GnupG 2.1.x and others.
ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-2.0.2.tar.bz2
ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-2.0.2.tar.bz2.sig
The sha1sums of these files are:
e843fd96b4cb05eb737e465891034229f50469d4 libassuan-2.0.1-2.0.2.diff.bz2
dbcd96e2525d4c3a2da9e8054a06fa517f20a185 libassuan-2.0.2.tar.bz2
74b09f626c67ffe51ba21a38b7bed0ea35112c6b libassuan-2.0.2.tar.bz2.asc
Noteworthy changes in version 2.0.2 (2010-06-16)
------------------------------------------------
* A new flag may now be used to convey comments via assuan_transact.
* A new flag value may now be used to disable logging.
* The gpgcedev.c driver now provides a log device.
* It is now possible to overwrite socket and connect functions in
struct assuan_system_hooks.
* Interface changes relative to the 2.0.1 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ASSUAN_CONVEY_COMMENTS NEW.
ASSUAN_NO_LOGGING NEW.
assuan_system_hooks_t CHANGED: Added socket and connect members.
ASSUAN_SYSTEM_HOOKS_VERSION CHANGED: Bumped to 2.
assuan_register_pre_cmd_notify NEW.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459
H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch
D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
From marcus.brinkmann at ruhr-uni-bochum.de Mon Jul 4 19:06:01 2011
From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann)
Date: 4 Jul 2011 19:06:01 +0200
Subject: [Announce] GPGME 1.3.1 released
Message-ID: <4E11F2F9.9050306@ruhr-uni-bochum.de>
Hi,
We are pleased to announce version 1.3.1 of GnuPG Made Easy,
a library designed to make access to GnuPG easier for applications.
It may be found in the file
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.1.tar.bz2
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.1.tar.bz2.sig
It should soon appear on the mirrors listed at:
http://www.gnupg.org/mirrors.html
Bug reports and requests for assistance should be sent to:
gnupg-devel at gnupg.org
The sha1sum checksums for this distibution are
7d19a95a2239da13764dad7f97541be884ec5a37 gpgme-1.3.1.tar.bz2
93316a81a8f903c5b604716b6937884ea7b0917a gpgme-1.3.1.tar.bz2.sig
Noteworthy changes in version 1.3.1 (2011-06-16)
------------------------------------------------
* Ported to Windows CE.
* Detect GPG versions not supporting ---passwd.
* Interface changes relative to the 1.3.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPGME_EXPORT_MODE_MINIMAL NEW
GPGME_STATUS_SUCCESS NEW
gpgme_err_code_from_syserror NEW
gpgme_err_set_errno NEW
gpgme_error_from_errno CHANGED: Return gpgme_error_t (compatible type).
gpgme_error_from_syserror NEW
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459
H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch
D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
From mb at g10code.com Mon Jul 4 20:35:20 2011
From: mb at g10code.com (Marcus Brinkmann)
Date: Mon, 04 Jul 2011 18:35:20 -0000
Subject: [Announce] GPGME 1.3.1 released
Message-ID: <4DFA27BB.8090106@g10code.com>
Hi,
We are pleased to announce version 1.3.1 of GnuPG Made Easy,
a library designed to make access to GnuPG easier for applications.
It may be found in the file
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.1.tar.bz2
ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.1.tar.bz2.sig
It should soon appear on the mirrors listed at:
http://www.gnupg.org/mirrors.html
Bug reports and requests for assistance should be sent to:
gnupg-devel at gnupg.org
The sha1sum checksums for this distibution are
7d19a95a2239da13764dad7f97541be884ec5a37 gpgme-1.3.1.tar.bz2
93316a81a8f903c5b604716b6937884ea7b0917a gpgme-1.3.1.tar.bz2.sig
Noteworthy changes in version 1.3.1 (2011-06-16)
------------------------------------------------
* Ported to Windows CE.
* Detect GPG versions not supporting ---passwd.
* Interface changes relative to the 1.3.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GPGME_EXPORT_MODE_MINIMAL NEW
GPGME_STATUS_SUCCESS NEW
gpgme_err_code_from_syserror NEW
gpgme_err_set_errno NEW
gpgme_error_from_errno CHANGED: Return gpgme_error_t (compatible type).
gpgme_error_from_syserror NEW
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459
H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch
D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
From mb at g10code.com Mon Jul 4 21:15:56 2011
From: mb at g10code.com (Marcus Brinkmann)
Date: Mon, 04 Jul 2011 19:15:56 -0000
Subject: [Announce] libassuan 2.0.2 released
Message-ID: <4DFA273E.3040807@g10code.com>
Hi,
libassuan 2.0.2 is a minor release of libassuan. It provides a
shared library which is a dependency of of the upcoming versions of GPGME,
GnupG 2.1.x and others.
ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-2.0.2.tar.bz2
ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-2.0.2.tar.bz2.sig
The sha1sums of these files are:
e843fd96b4cb05eb737e465891034229f50469d4 libassuan-2.0.1-2.0.2.diff.bz2
dbcd96e2525d4c3a2da9e8054a06fa517f20a185 libassuan-2.0.2.tar.bz2
74b09f626c67ffe51ba21a38b7bed0ea35112c6b libassuan-2.0.2.tar.bz2.asc
Noteworthy changes in version 2.0.2 (2010-06-16)
------------------------------------------------
* A new flag may now be used to convey comments via assuan_transact.
* A new flag value may now be used to disable logging.
* The gpgcedev.c driver now provides a log device.
* It is now possible to overwrite socket and connect functions in
struct assuan_system_hooks.
* Interface changes relative to the 2.0.1 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ASSUAN_CONVEY_COMMENTS NEW.
ASSUAN_NO_LOGGING NEW.
assuan_system_hooks_t CHANGED: Added socket and connect members.
ASSUAN_SYSTEM_HOOKS_VERSION CHANGED: Bumped to 2.
assuan_register_pre_cmd_notify NEW.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459
H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch
D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
From onemailid4mailinglists at edpnet.be Wed Jul 6 15:30:36 2011
From: onemailid4mailinglists at edpnet.be (Olivier N.)
Date: Wed, 06 Jul 2011 15:30:36 +0200
Subject: Error messages when generating new keys
In-Reply-To: <87sjqvjei9.fsf@vigenere.g10code.de>
References: <4E03C16C.1040200@edpnet.be>
<87y60nl6go.fsf@vigenere.g10code.de> <4E08BB32.9030408@edpnet.be>
<87sjqvjei9.fsf@vigenere.g10code.de>
Message-ID: <4E14637C.6070902@edpnet.be>
Hello Werner,
>> 2. I tried "$ gpg2 --gen-key", chose default options
>> and entered my infos (email address, name,?)
>> and I got:
>> gpg: problem with the agent: Bad CA certificate
>> gpg: problem with the agent: Invalid card
>> gpg: Key generation canceled.
>
> You are either running a version of gpg-agent which is too old or gpg
> started that version of gpg-agent but expected another one. Or there is
> another daemon taking over the connection between gpg2 and gpg-agent.
> Seahorse as well as the gnome-keychain(?) used to do this (which is
> something they should not do).
>
> Adding the options "--verbose --debug 2048" to the command line may give
> you some more insight. Make sure all gpg-agent's are stopped.
I modified a lot my Linux box these last few days:
upgrades, new WM (ratpoison instead of gnome) and so on.
I then tried gpg2 again and I have no error message anymore.
Great! Even though I have no idea what solved my problem.
In a few days, I'll have to install it and use it on
computers running Windows. Hope everything will run fine.
Thanks again,
Olivier
From marcio.barbado at gmail.com Wed Jul 6 19:28:55 2011
From: marcio.barbado at gmail.com (Marcio B. Jr.)
Date: Wed, 6 Jul 2011 14:28:55 -0300
Subject: Is the OpenPGP model still useful?
In-Reply-To: <4DBAB94B.9000600@sixdemonbag.org>
References: <9B6DEDE3-309A-437E-A373-2166A3EE2951@sixdemonbag.org>
<20110428150505.GB4219@rio.matrix>
<4DBAB94B.9000600@sixdemonbag.org>
Message-ID:
Hello,
resuming this thread because I'm studying encryption options for KDE's
Kopete IM client.
So far, OTR adoption seems unjustifiable, really. I mean, it uses the
Diffie-Hellman key exchange method with block ciphers.
As of what I got from your (Robert) explanation plus some preliminary
conclusions of my studies, making use of asymmetric algos with OpenPGP
would be more coherent and secure, mathematically. Is it correct?
Regards,
On Fri, Apr 29, 2011 at 10:12 AM, Robert J. Hansen wrote:
> On 4/28/11 11:05 AM, Michel Messerschmidt wrote:
>> Sounds very much like Off-the-Record messaging for every kind of
>> communication. Or is there a difference I have missed?
>
> The barrier to usage is still high with OTR: users still have to
> authenticate, and you can get horrible sync issues. ?Plus, let's not
> forget the wacky hijinks that occur if you're logged into IM from two
> places at once -- although this is explicitly supported by some IM
> protocols (Jabber), with OTR it causes no end of troubles.
>
> The thought experiment here -- it's not a real proposal -- is, "what
> would happen if we discarded authentication entirely, and went purely
> for a require-brute-force approach to discover the random session key?"
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
Marcio Barbado, Jr.
From dkg at fifthhorseman.net Wed Jul 6 21:09:02 2011
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 06 Jul 2011 15:09:02 -0400
Subject: OT: IM encryption options [was: Re: Is the OpenPGP model still
useful?]
In-Reply-To:
References: <9B6DEDE3-309A-437E-A373-2166A3EE2951@sixdemonbag.org> <20110428150505.GB4219@rio.matrix> <4DBAB94B.9000600@sixdemonbag.org>
Message-ID: <4E14B2CE.4050104@fifthhorseman.net>
On 07/06/2011 01:28 PM, Marcio B. Jr. wrote:
> resuming this thread because I'm studying encryption options for KDE's
> Kopete IM client.
Hmm, i'm not sure this is the best place for this discussion, so i've
marked the subject line OT for "off-topic" -- if you think there might
be a better discussion list, feel free to follow up there.
> So far, OTR adoption seems unjustifiable, really. I mean, it uses the
> Diffie-Hellman key exchange method with block ciphers.
Why does this seem unjustifiable to you? DH and block ciphers are
widely-reviewed parts of the standard crypto toolkit. Do you have
reason to believe they're generally bad?
> As of what I got from your (Robert) explanation plus some preliminary
> conclusions of my studies, making use of asymmetric algos with OpenPGP
> would be more coherent and secure, mathematically. Is it correct?
Not all of these decisions should be made on purely mathematical
grounds. Consider, for example, pidgin's old GPG plugin (i dont know
whether it is still in use or under development)
It worked by signing and encrypting each message before it was sent, and
decrypting and verifying each response.
However, IM messages tend to be heavily context-dependent, which makes
them vulnerable to replay attacks.
For example, how many times have you written on IRC (or whatever IM
network you use) the simple phrase "i agree"?
If each message is individually signed and verified, it'd be relatively
easy for an attacker to replay your "i agree" in another conversation,
making it look like you agreed to something you hadn't actually agreed
to. OTR's stream-based approach ensures that messages are only
authenticated as part of a single, two-party conversation. There is no
room for a replay attack.
OTR also is designed so that a third-party (one not involved in the
original communication can't conclusively prove that you wrote
something. this is the "off the record" part of OTR. It's debatable
how useful this so-called "repudiability" would be in, say, a court of
law; but individually-signed messages clearly do *not* have this kind of
repudiability; anyone in possession of one of these messages can
convince any third party that you did in fact write the message.
Note that we're just talking here about message/conversation signing,
encryption, and verification; iirc, the original thread was asking about
OpenPGP's certification model (that is, how multi-issuer OpenPGP
certificates are used to bind identities to public keys), which is an
entirely different (though related) topic.
hope this helps,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL:
From dougb at dougbarton.us Wed Jul 6 21:37:16 2011
From: dougb at dougbarton.us (Doug Barton)
Date: Wed, 06 Jul 2011 12:37:16 -0700
Subject: Is the OpenPGP model still useful?
In-Reply-To:
References: <9B6DEDE3-309A-437E-A373-2166A3EE2951@sixdemonbag.org> <20110428150505.GB4219@rio.matrix> <4DBAB94B.9000600@sixdemonbag.org>
Message-ID: <4E14B96C.9080009@dougbarton.us>
On 07/06/2011 10:28, Marcio B. Jr. wrote:
> Hello,
> resuming this thread because I'm studying encryption options for KDE's
> Kopete IM client.
>
> So far, OTR adoption seems unjustifiable, really. I mean, it uses the
> Diffie-Hellman key exchange method with block ciphers.
>
> As of what I got from your (Robert) explanation plus some preliminary
> conclusions of my studies, making use of asymmetric algos with OpenPGP
> would be more coherent and secure, mathematically. Is it correct?
IDOYTM, which you haven't defined.
Personally I've used OTR for years, and am a big fan.
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
From marcio.barbado at gmail.com Wed Jul 6 22:39:44 2011
From: marcio.barbado at gmail.com (Marcio B. Jr.)
Date: Wed, 6 Jul 2011 17:39:44 -0300
Subject: Is the OpenPGP model still useful?
In-Reply-To: <4E14B96C.9080009@dougbarton.us>
References: <9B6DEDE3-309A-437E-A373-2166A3EE2951@sixdemonbag.org>
<20110428150505.GB4219@rio.matrix>
<4DBAB94B.9000600@sixdemonbag.org>
<4E14B96C.9080009@dougbarton.us>
Message-ID:
Dear Doug,
I don't know what "IDOYTM" is supposed to mean, "and am" afraid I'm
not enough-of-a-teenager to get really concerned with that.
If the existence of big fans justifies quality, Amy Winehouse would be
Teresa of Calcutta.
My question, which, I must emphasize for you, is a question ? not an
assertion, was on mathematical coherence.
Regards,
On Wed, Jul 6, 2011 at 4:37 PM, Doug Barton wrote:
> On 07/06/2011 10:28, Marcio B. Jr. wrote:
>>
>> Hello,
>> resuming this thread because I'm studying encryption options for KDE's
>> Kopete IM client.
>>
>> So far, OTR adoption seems unjustifiable, really. I mean, it uses the
>> Diffie-Hellman key exchange method with block ciphers.
>>
>> As of what I got from your (Robert) explanation plus some preliminary
>> conclusions of my studies, making use of asymmetric algos with OpenPGP
>> would be more coherent and secure, mathematically. Is it correct?
>
> IDOYTM, which you haven't defined.
>
> Personally I've used OTR for years, and am a big fan.
>
> --
>
> ? ? ? ?Nothin' ever doesn't change, but nothin' changes much.
> ? ? ? ? ? ? ? ? ? ? ? ?-- OK Go
>
> ? ? ? ?Breadth of IT experience, and depth of knowledge in the DNS.
> ? ? ? ?Yours for the right price. ?:) ?http://SupersetSolutions.com/
>
>
Marcio Barbado, Jr.
From rjh at sixdemonbag.org Wed Jul 6 22:49:52 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 06 Jul 2011 13:49:52 -0700
Subject: Is the OpenPGP model still =?UTF-8?Q?useful=3F?=
In-Reply-To:
References: <9B6DEDE3-309A-437E-A373-2166A3EE2951@sixdemonbag.org>
<20110428150505.GB4219@rio.matrix>
<4DBAB94B.9000600@sixdemonbag.org>
Message-ID: <9f90ae22ddbdf320de745e5899e91bbe@localhost>
> So far, OTR adoption seems unjustifiable, really. I mean, it uses the
> Diffie-Hellman key exchange method with block ciphers.
Why is this a problem?
> As of what I got from your (Robert) explanation plus some preliminary
> conclusions of my studies, making use of asymmetric algos with OpenPGP
> would be more coherent and secure, mathematically. Is it correct?
"Coherent" and "secure" are in the eyes of the beholder. Your statement
doesn't lend itself to a "yes, you're right" or a "no, you're wrong" answer
-- it's just not something I can answer. Coherency and security are
matters of personal taste and policy.
From dougb at dougbarton.us Wed Jul 6 22:50:45 2011
From: dougb at dougbarton.us (Doug Barton)
Date: Wed, 06 Jul 2011 13:50:45 -0700
Subject: Is the OpenPGP model still useful?
In-Reply-To:
References: <9B6DEDE3-309A-437E-A373-2166A3EE2951@sixdemonbag.org> <20110428150505.GB4219@rio.matrix> <4DBAB94B.9000600@sixdemonbag.org> <4E14B96C.9080009@dougbarton.us>
Message-ID: <4E14CAA5.5040701@dougbarton.us>
On 07/06/2011 13:39, Marcio B. Jr. wrote:
> Dear Doug,
> I don't know what "IDOYTM" is supposed to mean,
It depends on your threat model. You haven't defined what you're
guarding against, so it's impossible to judge how potential solutions
may or may not help.
> "and am" afraid I'm
> not enough-of-a-teenager to get really concerned with that.
>
> If the existence of big fans justifies quality, Amy Winehouse would be
> Teresa of Calcutta.
Um, yeah, Ok.
> My question, which, I must emphasize for you, is a question ? not an
> assertion, was on mathematical coherence.
And like I said (and Daniel said in more detail) OTR has some very valid
uses cases, but without knowing what your goals are it's hard to respond
intelligently.
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
From gnupg at oneiroi.net Thu Jul 7 01:52:42 2011
From: gnupg at oneiroi.net (Milo)
Date: Thu, 7 Jul 2011 01:52:42 +0200
Subject: Is the OpenPGP model still useful?
In-Reply-To: <9f90ae22ddbdf320de745e5899e91bbe@localhost>
References: <9B6DEDE3-309A-437E-A373-2166A3EE2951@sixdemonbag.org>
<20110428150505.GB4219@rio.matrix>
<4DBAB94B.9000600@sixdemonbag.org>
<9f90ae22ddbdf320de745e5899e91bbe@localhost>
Message-ID: <20110706235242.GA24737@helcaraxe.net>
On Wed, Jul 06, 2011 at 01:49:52PM -0700, Robert J. Hansen wrote:
> (...)
>
> -- it's just not something I can answer. Coherency and security are
> matters of personal taste and policy.
Are you sure about that? then find a person who will tell you that (you like
thought experiments, don't you?) during obvious live threat situation
feels secure. You can imaging what will be a common anwser, right?
Defining from the scratch all the terms and dictionaries before starting
conversation is somehow bogus.
Robert, if you will look around you will find fine and common/universal-enough
definitions of security in context adequate to this thread. If you doubt
about that start a thread for revisiting - for example - wikipedia's terms
regarding IT/information security stuff. I think that most people (and
I'm saying about _most_ of them) will agree that there are fine.
Perhaps instead of serving extreme form of relativism is better to not
anwser at all.
I think that informative and didactic value of such response is negligible.
--
Kind regards,
Milo
From rjh at sixdemonbag.org Thu Jul 7 05:47:15 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 06 Jul 2011 23:47:15 -0400
Subject: Is the OpenPGP model still useful?
In-Reply-To: <20110706235242.GA24737@helcaraxe.net>
References: <9B6DEDE3-309A-437E-A373-2166A3EE2951@sixdemonbag.org>
<20110428150505.GB4219@rio.matrix>
<4DBAB94B.9000600@sixdemonbag.org>
<9f90ae22ddbdf320de745e5899e91bbe@localhost>
<20110706235242.GA24737@helcaraxe.net>
Message-ID: <4E152C43.7050007@sixdemonbag.org>
On 7/6/2011 7:52 PM, Milo wrote:
> Are you sure about that? then find a person who will tell you that (you like
> thought experiments, don't you?) during obvious live threat situation
> feels secure. You can imaging what will be a common anwser, right?
You must not know many United States Marines. They're a screwy bunch.
They kind of like getting shot at: it keeps them on their toes. On the
other side of the coin, consider someone suffering from combat-related
post traumatic stress disorder, for whom there is literally no
environment that allows them to feel safe. One group of people finds
even "obvious live threat situations" to be invigorating and they feel
quite confident about their ability to thrive in such situations, and
another group of people considers all situations, even "obviously" safe
ones, to be mortal threats.
I think we ought be very careful in making universal statements about
what all people agree upon with respect to security. It seems to me to
be quite likely there are no such things.
As with so many things in life, IDOYTM. Define your threat model, and
then we can talk about "coherency" and "security." Not before then.
From expires2011 at ymail.com Thu Jul 7 20:45:51 2011
From: expires2011 at ymail.com (MFPA)
Date: Thu, 7 Jul 2011 19:45:51 +0100
Subject: Is the OpenPGP model still useful?
In-Reply-To: <20110706235242.GA24737@helcaraxe.net>
References: <9B6DEDE3-309A-437E-A373-2166A3EE2951@sixdemonbag.org>
<20110428150505.GB4219@rio.matrix>
<4DBAB94B.9000600@sixdemonbag.org>
<9f90ae22ddbdf320de745e5899e91bbe@localhost>
<20110706235242.GA24737@helcaraxe.net>
Message-ID: <1651735603.20110707194551@my_localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi
On Thursday 7 July 2011 at 12:52:42 AM, in
, Milo wrote:
> I think that informative and didactic value of such
> response is negligible.
Even if that were true, there would still be the entertainment value.
But iconoclasm can be instructive; think for yourself, otherwise you
have to believe what others tell you.
- --
Best regards
MFPA mailto:expires2011 at ymail.com
Dollar sign - An S that's been double crossed
-----BEGIN PGP SIGNATURE-----
iQE7BAEBCgClBQJOFf7nnhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pChQEAJYQ
Q4K6U5fTAnY3RuX759nGi0S9UJThGXqZxT21dipbJApwpf4pQ80deQ2oG6zkgnnS
+HZWyiJegtryQhPm7K8FoIAI6q35Npao9bgPN0dbw/wznvWuMA+JFtspfXeHWfRJ
2o9pSC9aRlwasgolL0AoTPXjE9aDU/Q/pyw38AwF
=BZ8J
-----END PGP SIGNATURE-----
From lists at meumonus.com Fri Jul 8 00:06:14 2011
From: lists at meumonus.com (Devin Fisher)
Date: Thu, 7 Jul 2011 22:06:14 +0000
Subject: Keygrip
Message-ID: <1653336350-1310076375-cardhu_decombobulator_blackberry.rim.net-1450061921-@b1.c27.bise6.blackberry>
Hi,
I'm trying to use the gpg-preset-passphrase command and it keeps failing. My thought is I'm not getting the keygrip correct. How do I discover the keygrip for a public certificate?
From wk at gnupg.org Fri Jul 8 11:47:32 2011
From: wk at gnupg.org (Werner Koch)
Date: Fri, 08 Jul 2011 11:47:32 +0200
Subject: Keygrip
In-Reply-To: <1653336350-1310076375-cardhu_decombobulator_blackberry.rim.net-1450061921-@b1.c27.bise6.blackberry>
(Devin Fisher's message of "Thu, 7 Jul 2011 22:06:14 +0000")
References: <1653336350-1310076375-cardhu_decombobulator_blackberry.rim.net-1450061921-@b1.c27.bise6.blackberry>
Message-ID: <87pqll5cjv.fsf@vigenere.g10code.de>
On Fri, 8 Jul 2011 00:06, lists at meumonus.com said:
> I'm trying to use the gpg-preset-passphrase command and it keeps
> failing. My thought is I'm not getting the keygrip correct. How do I
> discover the keygrip for a public certificate?
With the stable 2.0 version of GnuPG the keygrip is only used for X.509;
thus you may use
$ gpgsm --with-keygrip -k foo
Which displays the keygrip below the fingerprint line. With GnuPG-2 the
keygrip is also used with gpg2; thus
$ gpg --with-keygrip -k foo
Another way is to somhow figure out the respective file in
~/.gnupg/private-keys-v1.d - the name of the file is the keygrip plus
the suffix ".key".
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From lists at chrispoole.com Fri Jul 8 16:10:47 2011
From: lists at chrispoole.com (Chris Poole)
Date: Fri, 8 Jul 2011 15:10:47 +0100
Subject: Check that s2k-count has changed
Message-ID:
When changing my secret key's passphrase, I bumped up the s2k-count to
6553600 (I just added two zeros; I don't notice any slow down when
decrypting on a Core2Duo).
How can I confirm that this count is being used?
I ran gpg --list-packets ~/.gnupg/secring.gpg, which told me a number
for "protect count" (in the secret key packet section). Does this map
to the number I gave on the command line when changing my passphrase?
Thanks
Chris Poole
From dshaw at jabberwocky.com Fri Jul 8 18:31:10 2011
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 8 Jul 2011 12:31:10 -0400
Subject: Check that s2k-count has changed
In-Reply-To:
References:
Message-ID: <9B4C2AD6-8E0F-42E7-92EF-0BD013B1A239@jabberwocky.com>
On Jul 8, 2011, at 10:10 AM, Chris Poole wrote:
> When changing my secret key's passphrase, I bumped up the s2k-count to
> 6553600 (I just added two zeros; I don't notice any slow down when
> decrypting on a Core2Duo).
>
> How can I confirm that this count is being used?
>
> I ran gpg --list-packets ~/.gnupg/secring.gpg, which told me a number
> for "protect count" (in the secret key packet section). Does this map
> to the number I gave on the command line when changing my passphrase?
Yes. Note that the list-packets output shows the internal packed value: 6553600 should come out to 201. The default of 65536 would encode to 96.
You might file an enhancement bug to print the decoded value in --list-packets. We already print it for symmetric encryption, and it's reasonable to print it for secret keys as well.
David
From dkg at fifthhorseman.net Fri Jul 8 18:49:44 2011
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Fri, 08 Jul 2011 12:49:44 -0400
Subject: Check that s2k-count has changed
In-Reply-To: <9B4C2AD6-8E0F-42E7-92EF-0BD013B1A239@jabberwocky.com>
References:
<9B4C2AD6-8E0F-42E7-92EF-0BD013B1A239@jabberwocky.com>
Message-ID: <4E173528.8090700@fifthhorseman.net>
On 07/08/2011 12:31 PM, David Shaw wrote:
> Yes. Note that the list-packets output shows the internal packed value: 6553600 should come out to 201. The default of 65536 would encode to 96.
>
> You might file an enhancement bug to print the decoded value in --list-packets. We already print it for symmetric encryption, and it's reasonable to print it for secret keys as well.
or you can feed the secret key to pgpdump instead of gpg --list-packets;
pgpdump provides both values (coded and decoded) in its output.
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL:
From lists at chrispoole.com Fri Jul 8 20:35:57 2011
From: lists at chrispoole.com (Chris Poole)
Date: Fri, 8 Jul 2011 19:35:57 +0100
Subject: Check that s2k-count has changed
In-Reply-To: <9B4C2AD6-8E0F-42E7-92EF-0BD013B1A239@jabberwocky.com>
References:
<9B4C2AD6-8E0F-42E7-92EF-0BD013B1A239@jabberwocky.com>
Message-ID: <46BEDB83-4082-4B46-B06D-C8CF5B6E3EF7@chrispoole.com>
On 8 Jul 2011, at 17:31, David Shaw wrote:
> Yes. Note that the list-packets output shows the internal packed value: 6553600 should come out to 201. The default of 65536 would encode to 96.
I do indeed get 201. Out of interest, how is that calculated?
I also changed the digest algorithm to SHA512; the iter+salt line shows this, but still mentions SHA1 protection.
Am I right in thinking that this means SHA1 is always used as a kind of checksum for the passphrase (only that and a simple checksum being specified by RFC4880), but the passphrase itself is stored as a SHA512 digest after 6553600 iterations of the hash function?
Cheers
Chris
From mailinglisten at hauke-laging.de Fri Jul 8 21:06:24 2011
From: mailinglisten at hauke-laging.de (Hauke Laging)
Date: Fri, 8 Jul 2011 21:06:24 +0200
Subject: Check that s2k-count has changed
In-Reply-To: <46BEDB83-4082-4B46-B06D-C8CF5B6E3EF7@chrispoole.com>
References:
<9B4C2AD6-8E0F-42E7-92EF-0BD013B1A239@jabberwocky.com>
<46BEDB83-4082-4B46-B06D-C8CF5B6E3EF7@chrispoole.com>
Message-ID: <201107082106.30976.mailinglisten@hauke-laging.de>
Am Freitag, 8. Juli 2011, 20:35:57 schrieb Chris Poole:
> On 8 Jul 2011, at 17:31, David Shaw wrote:
> > Yes. Note that the list-packets output shows the internal packed value:
> > 6553600 should come out to 201. The default of 65536 would encode to
> > 96.
>
> I do indeed get 201. Out of interest, how is that calculated?
https://tools.ietf.org/html/rfc4880#section-3.7.1.3
The count is coded into a one-octet number using the following formula:
#define EXPBIAS 6
count = ((Int32)16 + (c & 15)) << ((c >> 4) + EXPBIAS);
The above formula is in C, where "Int32" is a type for a 32-bit
integer, and the variable "c" is the coded count, Octet 10.
Hauke
--
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL:
From dshaw at jabberwocky.com Fri Jul 8 21:08:02 2011
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 8 Jul 2011 15:08:02 -0400
Subject: Check that s2k-count has changed
In-Reply-To: <46BEDB83-4082-4B46-B06D-C8CF5B6E3EF7@chrispoole.com>
References:
<9B4C2AD6-8E0F-42E7-92EF-0BD013B1A239@jabberwocky.com>
<46BEDB83-4082-4B46-B06D-C8CF5B6E3EF7@chrispoole.com>
Message-ID:
On Jul 8, 2011, at 2:35 PM, Chris Poole wrote:
> On 8 Jul 2011, at 17:31, David Shaw wrote:
>> Yes. Note that the list-packets output shows the internal packed value: 6553600 should come out to 201. The default of 65536 would encode to 96.
>
> I do indeed get 201. Out of interest, how is that calculated?
Brace yourself. This is not pretty:
#define S2K_DECODE_COUNT(_val) ((16ul + ((_val) & 15)) << (((_val) >> 4) + 6))
OpenPGP historically has a bit of a phobia about using two or four bytes when it could be squeezed into one. Or even better, part of one. That's why the range of valid s2k-count values is 1024 through 65011712, but not all values are actually possible.
> I also changed the digest algorithm to SHA512; the iter+salt line shows this, but still mentions SHA1 protection.
It's using SHA512 for passphrase mangling. The SHA1 protection it is referencing is a checksum on the while secret key packet itself. You can see the details in section 5.5.3 of RFC-4880, but basically it was added in response to the Klima-Rosa attack (which involved modifying the secret key in a way that the simple checksum used previously could not detect).
David
From lists at chrispoole.com Fri Jul 8 22:43:18 2011
From: lists at chrispoole.com (Chris Poole)
Date: Fri, 8 Jul 2011 21:43:18 +0100
Subject: Check that s2k-count has changed
In-Reply-To: <201107082106.30976.mailinglisten@hauke-laging.de>
References:
<9B4C2AD6-8E0F-42E7-92EF-0BD013B1A239@jabberwocky.com>
<46BEDB83-4082-4B46-B06D-C8CF5B6E3EF7@chrispoole.com>
<201107082106.30976.mailinglisten@hauke-laging.de>
Message-ID: <01CE3557-920D-4BD1-BA06-492088543F54@chrispoole.com>
Thank you.
On 8 Jul 2011, at 20:06, Hauke Laging wrote:
> Am Freitag, 8. Juli 2011, 20:35:57 schrieb Chris Poole:
>> On 8 Jul 2011, at 17:31, David Shaw wrote:
>>> Yes. Note that the list-packets output shows the internal packed value:
>>> 6553600 should come out to 201. The default of 65536 would encode to
>>> 96.
>>
>> I do indeed get 201. Out of interest, how is that calculated?
>
> https://tools.ietf.org/html/rfc4880#section-3.7.1.3
>
> The count is coded into a one-octet number using the following formula:
>
> #define EXPBIAS 6
> count = ((Int32)16 + (c & 15)) << ((c >> 4) + EXPBIAS);
>
> The above formula is in C, where "Int32" is a type for a 32-bit
> integer, and the variable "c" is the coded count, Octet 10.
>
>
> Hauke
> --
> PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
From lists at chrispoole.com Fri Jul 8 22:54:31 2011
From: lists at chrispoole.com (Chris Poole)
Date: Fri, 8 Jul 2011 21:54:31 +0100
Subject: Check that s2k-count has changed
In-Reply-To:
References:
<9B4C2AD6-8E0F-42E7-92EF-0BD013B1A239@jabberwocky.com>
<46BEDB83-4082-4B46-B06D-C8CF5B6E3EF7@chrispoole.com>
Message-ID: <5A1A70C3-6D6B-4F93-88A1-DB4E255405EF@chrispoole.com>
Thanks for the detailed response. I've done some C programming so it's not too alien to me.
I don't know if this would be of any real use (perhaps just for those that are pretty sure of the slowest machine they'll be decrypting their private key on), but a function to calculate how many rounds it takes to run for x.y seconds would be useful. KeePass, for example, automatically calculates how many rounds can be calculated in 1 second, and will set the count accordingly.
On 8 Jul 2011, at 20:08, David Shaw wrote:
> On Jul 8, 2011, at 2:35 PM, Chris Poole wrote:
>
>> On 8 Jul 2011, at 17:31, David Shaw wrote:
>>> Yes. Note that the list-packets output shows the internal packed value: 6553600 should come out to 201. The default of 65536 would encode to 96.
>>
>> I do indeed get 201. Out of interest, how is that calculated?
>
> Brace yourself. This is not pretty:
>
> #define S2K_DECODE_COUNT(_val) ((16ul + ((_val) & 15)) << (((_val) >> 4) + 6))
>
> OpenPGP historically has a bit of a phobia about using two or four bytes when it could be squeezed into one. Or even better, part of one. That's why the range of valid s2k-count values is 1024 through 65011712, but not all values are actually possible.
>
>> I also changed the digest algorithm to SHA512; the iter+salt line shows this, but still mentions SHA1 protection.
>
> It's using SHA512 for passphrase mangling. The SHA1 protection it is referencing is a checksum on the while secret key packet itself. You can see the details in section 5.5.3 of RFC-4880, but basically it was added in response to the Klima-Rosa attack (which involved modifying the secret key in a way that the simple checksum used previously could not detect).
>
> David
>
From wk at gnupg.org Sat Jul 9 08:34:07 2011
From: wk at gnupg.org (Werner Koch)
Date: Sat, 09 Jul 2011 08:34:07 +0200
Subject: Check that s2k-count has changed
In-Reply-To: <5A1A70C3-6D6B-4F93-88A1-DB4E255405EF@chrispoole.com> (Chris
Poole's message of "Fri, 8 Jul 2011 21:54:31 +0100")
References:
<9B4C2AD6-8E0F-42E7-92EF-0BD013B1A239@jabberwocky.com>
<46BEDB83-4082-4B46-B06D-C8CF5B6E3EF7@chrispoole.com>
<5A1A70C3-6D6B-4F93-88A1-DB4E255405EF@chrispoole.com>
Message-ID: <87box455eo.fsf@vigenere.g10code.de>
On Fri, 8 Jul 2011 22:54, lists at chrispoole.com said:
> I don't know if this would be of any real use (perhaps just for those
> that are pretty sure of the slowest machine they'll be decrypting
> their private key on), but a function to calculate how many rounds it
> takes to run for x.y seconds would be useful. KeePass, for example,
See gnupg/agent/protect.c:calibrate_s2k_count .
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From sattva at pgpru.com Mon Jul 11 15:36:12 2011
From: sattva at pgpru.com (Vlad "SATtva" Miller)
Date: Mon, 11 Jul 2011 20:36:12 +0700
Subject: timestamp notation @gnupg.org
In-Reply-To:
References: <20110603193259.4C19B8C069@nym.dizum.nl> <201106161321.14462.mailinglisten@hauke-laging.de> <87fwnaory7.fsf@vigenere.g10code.de> <201106161627.13391.mailinglisten@hauke-laging.de> <87aad3mmr5.fsf@vigenere.g10code.de>
Message-ID: <4E1AFC4C.1030300@pgpru.com>
Jerome Baum:
>> What I miss is a real use case for it. Is there someone implementing a
>> general purpose time stamping service? IIRC, there used to be some 10
>> years or more ago. Still any? I don't know.
>
> There are a lot of general purpose time stamping services, such as
> -- though that is the only one I
> know of that is OpenPGP-based.
1. http://www.timemarker.org/en/
2. https://www.metkavremeni.com/index-english.html
Full disclosure: i've been involved in designing the first one and
developed the second one top to bottom (except for the web UI
unfortunately).
The notation could have some (close to negligible) use in those cases,
however i as well as Werner don't see much practical sense in
timestamp-only sig type discussed in another subthread as all
timestamping operations are performed with a dedicated key anyway.
--
Vlad "SATtva" Miller
3d viz | security & privacy consulting
www.vladmiller.info | www.pgpru.com
From aaron.toponce at gmail.com Mon Jul 11 21:26:04 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Mon, 11 Jul 2011 13:26:04 -0600
Subject: Calculating ciphertext sizes
Message-ID: <20110711192604.GF1758@poseidon.cocyt.us>
When encrypting a plaintext source, is there a way to predict the size of
the ciphertext output? I'm sure this depends on the cipher used, as well if
compression or hashing algos are used.
Just curious.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From rjh at sixdemonbag.org Mon Jul 11 22:26:07 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 11 Jul 2011 13:26:07 -0700
Subject: Calculating ciphertext sizes
In-Reply-To: <20110711192604.GF1758@poseidon.cocyt.us>
References: <20110711192604.GF1758@poseidon.cocyt.us>
Message-ID:
> When encrypting a plaintext source, is there a way to predict the size
of
> the ciphertext output? I'm sure this depends on the cipher used, as well
if
> compression or hashing algos are used.
The short answer is "yes," but it's hard to give a more precise answer
without knowing a lot of specifics. For instance, assuming you're running
AES in ECB mode, your ciphertext will be of size ceil(size/16)*16. Running
3DES in CBC mode, your ciphertext will be of size (ceil(size/8)+1)*8.
Etc., etc.
For any given encryption algorithm and operation mode the output size is
well-defined, but it's hard to give general answers for how it's computed.
From dshaw at jabberwocky.com Mon Jul 11 22:59:19 2011
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 11 Jul 2011 16:59:19 -0400
Subject: Calculating ciphertext sizes
In-Reply-To: <20110711192604.GF1758@poseidon.cocyt.us>
References: <20110711192604.GF1758@poseidon.cocyt.us>
Message-ID: <8AC90581-C70C-4F47-A964-18627608C896@jabberwocky.com>
On Jul 11, 2011, at 3:26 PM, Aaron Toponce wrote:
> When encrypting a plaintext source, is there a way to predict the size of
> the ciphertext output? I'm sure this depends on the cipher used, as well if
> compression or hashing algos are used.
The single largest thing that affects your output is the compression used, and how well your input compresses. For example, if you are encrypting straight text, you will get much better compression than if you are encrypting a movie file (which is generally already compressed, so can't be compressed much more, if at all). On top of that there is a bunch of general OpenPGP overhead (encrypted session key, etc).
The cipher does make a difference here, but it's small and dwarfed by other factors.
David
From dkg at fifthhorseman.net Mon Jul 11 23:08:35 2011
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 11 Jul 2011 17:08:35 -0400
Subject: Calculating ciphertext sizes
In-Reply-To: <8AC90581-C70C-4F47-A964-18627608C896@jabberwocky.com>
References: <20110711192604.GF1758@poseidon.cocyt.us>
<8AC90581-C70C-4F47-A964-18627608C896@jabberwocky.com>
Message-ID: <4E1B6653.8060407@fifthhorseman.net>
On 07/11/2011 04:59 PM, David Shaw wrote:
> On Jul 11, 2011, at 3:26 PM, Aaron Toponce wrote:
>
>> When encrypting a plaintext source, is there a way to predict the size of
>> the ciphertext output? I'm sure this depends on the cipher used, as well if
>> compression or hashing algos are used.
>
> The single largest thing that affects your output is the compression used, and how well your input compresses. For example, if you are encrypting straight text, you will get much better compression than if you are encrypting a movie file (which is generally already compressed, so can't be compressed much more, if at all). On top of that there is a bunch of general OpenPGP overhead (encrypted session key, etc).
>
> The cipher does make a difference here, but it's small and dwarfed by other factors.
Note also that for material encrypted to public key(s), you'll need to
factor in an extra chunk of data for each targetted key (the public-key
encrypted session-key packet [0]); you can expect the size of this to
vary with the algorithm of each targetted key. This isn't technically
part of the "ciphertext", but it is part of the encrypted,
OpenPGP-formatted message. Without it, those recipients won't be able
to decrypt the message.
For very short messages, the encrypted session key packets can actually
dominate the contents of the resulting message.
Regards,
--dkg
[0] https://tools.ietf.org/html/rfc4880#section-5.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL:
From aaron.toponce at gmail.com Mon Jul 11 22:31:34 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Mon, 11 Jul 2011 14:31:34 -0600
Subject: Calculating ciphertext sizes
In-Reply-To:
References: <20110711192604.GF1758@poseidon.cocyt.us>
Message-ID: <20110711203134.GG1758@poseidon.cocyt.us>
On Mon, Jul 11, 2011 at 01:26:07PM -0700, Robert J. Hansen wrote:
> The short answer is "yes," but it's hard to give a more precise answer
> without knowing a lot of specifics. For instance, assuming you're running
> AES in ECB mode, your ciphertext will be of size ceil(size/16)*16. Running
> 3DES in CBC mode, your ciphertext will be of size (ceil(size/8)+1)*8.
> Etc., etc.
How can I get a breakdown of this with the various ciphers? Is it listed
somewhere, or just read the source code?
> For any given encryption algorithm and operation mode the output size is
> well-defined, but it's hard to give general answers for how it's computed.
Of course. I was looking more for a resource that might be able to explain
it to me better.
The reason for asking (which actually isn't realted to GnuPG) was I wanted
to know the amount of data transferred over the wire with SCP. Knowing that
SCP and GPG use similar algs, I thought I would ask here (there are other
applications where GnuPG fits). From my limited testing, trying each of the
various ciphers, I found that at most, 1.2x the amount of data was
transferred, which surprised me, really.
So, I figured this might get a good discussion going, and I can certainly
learn more about encryption in the meantime.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From rjh at sixdemonbag.org Tue Jul 12 00:29:42 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 11 Jul 2011 18:29:42 -0400
Subject: Calculating ciphertext sizes
In-Reply-To: <20110711203134.GG1758@poseidon.cocyt.us>
References: <20110711192604.GF1758@poseidon.cocyt.us>
<20110711203134.GG1758@poseidon.cocyt.us>
Message-ID:
> The reason for asking (which actually isn't realted to GnuPG) was I wanted
> to know the amount of data transferred over the wire with SCP.
Then this isn't a question related to encipherment: this is a protocol question. Once you start looking at the protocol layer, other things have enormously more impact than just encryption operations. For instance, if your wire protocol requires data be 7-bit clean binary data will expand out significantly. If your wire protocol supports compression, the transmitted data might substantially decrease.
In the case of SCP, the OpenSSH geeks do their best to obfuscate the size of the transmitted data. They do this in order to make traffic analysis more difficult, but also makes predicting the amount of data sent more difficult.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 227 bytes
Desc: This is a digitally signed message part
URL:
From aaron.toponce at gmail.com Tue Jul 12 00:52:31 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Mon, 11 Jul 2011 16:52:31 -0600
Subject: Calculating ciphertext sizes
In-Reply-To:
References: <20110711192604.GF1758@poseidon.cocyt.us>
<20110711203134.GG1758@poseidon.cocyt.us>
Message-ID: <20110711225231.GJ1758@poseidon.cocyt.us>
On Mon, Jul 11, 2011 at 06:29:42PM -0400, Robert J. Hansen wrote:
> > The reason for asking (which actually isn't realted to GnuPG) was I wanted
> > to know the amount of data transferred over the wire with SCP.
>
> Then this isn't a question related to encipherment: this is a protocol question. Once you start looking at the protocol layer, other things have enormously more impact than just encryption operations. For instance, if your wire protocol requires data be 7-bit clean binary data will expand out significantly. If your wire protocol supports compression, the transmitted data might substantially decrease.
>
> In the case of SCP, the OpenSSH geeks do their best to obfuscate the size of the transmitted data. They do this in order to make traffic analysis more difficult, but also makes predicting the amount of data sent more difficult.
Understood, however I disabled compression on the wire. I wanted raw data
with raw packets, and because the encryption algorithm is the primary data
manipulator, and I can only measure the data segment of the packets,
ignoring headers, I would think this works fairly well, unless I'm missing
something.
At any rate, the mathematics table of predicting the output of each input,
without compression or signing, would be very handy. Curious how you got
the numbers from before.
Thanks,
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From rjh at sixdemonbag.org Tue Jul 12 01:06:10 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 11 Jul 2011 19:06:10 -0400
Subject: Calculating ciphertext sizes
In-Reply-To: <20110711225231.GJ1758@poseidon.cocyt.us>
References: <20110711192604.GF1758@poseidon.cocyt.us>
<20110711203134.GG1758@poseidon.cocyt.us>
<20110711225231.GJ1758@poseidon.cocyt.us>
Message-ID:
> At any rate, the mathematics table of predicting the output of each input,
> without compression or signing, would be very handy. Curious how you got
> the numbers from before.
AES is a 128-bit block cipher: it is incapable of producing outputs except in multiples of 128 bits (16 bytes). ECB mode is the simplest of all cipher operation modes: you read a block of plaintext (in this case, 16 bytes), if you read less than a block you null-pad it out to a block, you encrypt it, you move to the next block of plaintext. Hence, for a given size of plaintext, the AES-ECB output will be 16*ceil(size/16).
3DES is a 64-bit block cipher: ditto, except now it's 8 bytes. If you're running it in CBC mode then your first block of output is actually the initialization vector you're using for the output stream. So this will be 8*ceil(size/8) + 8, which I algebraically reduced to 8*(ceil(size/8) + 1).
A good crypto reference book (I'd recommend _The Handbook of Applied Cryptography_: it's old, but it's aged well) will describe the various operation modes. Once you understand how the modes work and what the block size is of your cipher, you can start crunching the numbers. The algebra is pretty simple, but understanding the modes and what kinds of output they create can sometimes be a pain in the posterior. Some modes are very straightforward (ECB, CBC, etc.), and others are fairly complex. I'll pay $5 to anyone who can recreate Sophie Germain Counter Mode [1] from memory. ;)
[1] http://eprint.iacr.org/2011/326.pdf
From mhaber at vp44.com Tue Jul 12 16:48:08 2011
From: mhaber at vp44.com (Marc Haber)
Date: Tue, 12 Jul 2011 16:48:08 +0200
Subject: Invoking gpg2.exe from C# script
Message-ID: <41404f2241973603a45217158e0ff03a.squirrel@webmail.vp44.net>
Hi guys.
I'm currently working on a small C# utility that, among other things, has
to decrypt files using GnuPG.
I would like the user to avoid typing the password each time, but I'm not
sure of how to call gpg2.exe while providing the passphrase on the command
line.
I tested this but it doesn't seem to work:
string sCommandLine = "echo \"" + passphrase + "\" | gpg2.exe
--passphrase-fd 0 -o \"" + outputFileNameFullPath + "\" --decrypt \"" +
inputFileNameFullPath + "\"";
Any tips?
MH
From rjh at sixdemonbag.org Tue Jul 12 19:31:25 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 12 Jul 2011 13:31:25 -0400
Subject: Invoking gpg2.exe from C# script
In-Reply-To: <41404f2241973603a45217158e0ff03a.squirrel@webmail.vp44.net>
References: <41404f2241973603a45217158e0ff03a.squirrel@webmail.vp44.net>
Message-ID: <4E1C84ED.5010405@sixdemonbag.org>
On 7/12/11 10:48 AM, Marc Haber wrote:
> I would like the user to avoid typing the password each time, but I'm
> not sure of how to call gpg2.exe while providing the passphrase on
> the command line.
I'd suggest using P/Invoke on GPGME. Doing this from within managed
code is going to bring you nothing but tears.
From dougb at dougbarton.us Tue Jul 12 21:09:12 2011
From: dougb at dougbarton.us (Doug Barton)
Date: Tue, 12 Jul 2011 12:09:12 -0700
Subject: Assertion failure from gnupg with enigmail 1.2
In-Reply-To: <4E1B9DA0.2090602@dougbarton.us>
References: <4E1B9DA0.2090602@dougbarton.us>
Message-ID: <4E1C9BD8.1070404@dougbarton.us>
I sent the following message to the enigmail list but they punted me to
you. :) To clarify, I can take the same command line and run it in a
terminal against a text file just fine. If you lot can tell me what the
failed assertion means, I can go back to the enigmail folks with more data.
Thanks,
Doug
Howdy,
I'm getting some odd errors with enigmail 1.2 and tb5 on FreeBSD. I just
sent a message to a mailing list and the "sign replies to signed mail"
auto-option kicked in, which is great. :) The problem is, the signature
on my message fails to validate, which has never happened to me before.
So then I tried sending myself a simple message and I get this:
enigmail> /usr/local/bin/gpg2 --charset utf8 --batch --no-tty
--status-fd 2 -t --clearsign -u 0x1A1ABC84 --use-agent
Assertion failed: (data), function mpi_from_sexp, file pkglue.c, line 41.
That line from pkglue.c:
static gcry_mpi_t
mpi_from_sexp (gcry_sexp_t sexp, const char * item)
{
gcry_sexp_t list;
gcry_mpi_t data;
list = gcry_sexp_find_token (sexp, item, 0);
assert (list);
data = gcry_sexp_nth_mpi (list, 1, 0);
assert (data); <<<<<<<<< line 41
gcry_sexp_release (list);
return data;
}
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
From dougb at dougbarton.us Tue Jul 12 23:59:39 2011
From: dougb at dougbarton.us (Doug Barton)
Date: Tue, 12 Jul 2011 14:59:39 -0700
Subject: Assertion failure from gnupg with enigmail 1.2
In-Reply-To: <4E1C9BD8.1070404@dougbarton.us>
References: <4E1B9DA0.2090602@dougbarton.us> <4E1C9BD8.1070404@dougbarton.us>
Message-ID: <4E1CC3CB.4040504@dougbarton.us>
Ok, this patch was sent to me by someone who chose to reply privately.
It works, does it seem like the right thing to do?
http://lists.freebsd.org/pipermail/freebsd-ports-bugs/2011-July/214517.html
Thanks,
Doug
On 07/12/2011 12:09, Doug Barton wrote:
> I sent the following message to the enigmail list but they punted me to
> you. :) To clarify, I can take the same command line and run it in a
> terminal against a text file just fine. If you lot can tell me what the
> failed assertion means, I can go back to the enigmail folks with more data.
>
>
> Thanks,
>
> Doug
>
>
>
> Howdy,
>
> I'm getting some odd errors with enigmail 1.2 and tb5 on FreeBSD. I just
> sent a message to a mailing list and the "sign replies to signed mail"
> auto-option kicked in, which is great. :) The problem is, the signature
> on my message fails to validate, which has never happened to me before.
>
> So then I tried sending myself a simple message and I get this:
>
> enigmail> /usr/local/bin/gpg2 --charset utf8 --batch --no-tty
> --status-fd 2 -t --clearsign -u 0x1A1ABC84 --use-agent
> Assertion failed: (data), function mpi_from_sexp, file pkglue.c, line 41.
>
> That line from pkglue.c:
>
> static gcry_mpi_t
> mpi_from_sexp (gcry_sexp_t sexp, const char * item)
> {
> gcry_sexp_t list;
> gcry_mpi_t data;
>
> list = gcry_sexp_find_token (sexp, item, 0);
> assert (list);
> data = gcry_sexp_nth_mpi (list, 1, 0);
> assert (data); <<<<<<<<< line 41
> gcry_sexp_release (list);
> return data;
> }
>
>
> Doug
>
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
From david at systemoverlord.com Wed Jul 13 00:17:26 2011
From: david at systemoverlord.com (David Tomaschik)
Date: Tue, 12 Jul 2011 18:17:26 -0400
Subject: Assertion failure from gnupg with enigmail 1.2
In-Reply-To:
References: <4E1B9DA0.2090602@dougbarton.us> <4E1C9BD8.1070404@dougbarton.us>
Message-ID:
Sorry, this was intended to be sent to the entire list, but I composed
it in a hurry.... my apologies.
On Tue, Jul 12, 2011 at 4:24 PM, David Tomaschik
wrote:
> assert() kills the program if the value in the parentheses evaluates
> to FALSE. ?In this case, that means that "data" evaluates to FALSE,
> which is most likely NULL.
>
> In this particular case, I recommend looking at
> http://lists.freebsd.org/pipermail/freebsd-ports-bugs/2011-July/214517.html
>
> David
>
>
> On Tue, Jul 12, 2011 at 3:09 PM, Doug Barton wrote:
>> I sent the following message to the enigmail list but they punted me to
>> you. :) To clarify, I can take the same command line and run it in a
>> terminal against a text file just fine. If you lot can tell me what the
>> failed assertion means, I can go back to the enigmail folks with more data.
>>
>>
>> Thanks,
>>
>> Doug
>>
>>
>>
>> Howdy,
>>
>> I'm getting some odd errors with enigmail 1.2 and tb5 on FreeBSD. I just
>> sent a message to a mailing list and the "sign replies to signed mail"
>> auto-option kicked in, which is great. :) ?The problem is, the signature
>> on my message fails to validate, which has never happened to me before.
>>
>> So then I tried sending myself a simple message and I get this:
>>
>> enigmail> /usr/local/bin/gpg2 --charset utf8 --batch --no-tty
>> --status-fd 2 -t --clearsign -u 0x1A1ABC84 --use-agent
>> Assertion failed: (data), function mpi_from_sexp, file pkglue.c, line 41.
>>
>> That line from pkglue.c:
>>
>> static gcry_mpi_t
>> mpi_from_sexp (gcry_sexp_t sexp, const char * item)
>> {
>> ?gcry_sexp_t list;
>> ?gcry_mpi_t data;
>>
>> ?list = gcry_sexp_find_token (sexp, item, 0);
>> ?assert (list);
>> ?data = gcry_sexp_nth_mpi (list, 1, 0);
>> ?assert (data); ? ? ? ?<<<<<<<<< line 41
>> ?gcry_sexp_release (list);
>> ?return data;
>> }
>>
>>
>> Doug
>>
>> --
>>
>> ? ? ? ?Nothin' ever doesn't change, but nothin' changes much.
>> ? ? ? ? ? ? ? ? ? ? ? ?-- OK Go
>>
>> ? ? ? ?Breadth of IT experience, and depth of knowledge in the DNS.
>> ? ? ? ?Yours for the right price. ?:) ?http://SupersetSolutions.com/
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>
>
>
> --
> David Tomaschik, RHCE, LPIC-1
> System Administrator/Open Source Advocate
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
--
David Tomaschik, RHCE, LPIC-1
System Administrator/Open Source Advocate
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
From wk at gnupg.org Wed Jul 13 05:45:06 2011
From: wk at gnupg.org (Werner Koch)
Date: Wed, 13 Jul 2011 05:45:06 +0200
Subject: Assertion failure from gnupg with enigmail 1.2
In-Reply-To: <4E1CC3CB.4040504@dougbarton.us> (Doug Barton's message of "Tue,
12 Jul 2011 14:59:39 -0700")
References: <4E1B9DA0.2090602@dougbarton.us> <4E1C9BD8.1070404@dougbarton.us>
<4E1CC3CB.4040504@dougbarton.us>
Message-ID: <87hb6q269p.fsf@vigenere.g10code.de>
On Tue, 12 Jul 2011 23:59, dougb at dougbarton.us said:
> It works, does it seem like the right thing to do?
Yes, this patch is correct. I was not aware that FreeBSD jumped to
Libgcrypt 1.5.0 so fast ;-).
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From dougb at dougbarton.us Wed Jul 13 05:59:41 2011
From: dougb at dougbarton.us (Doug Barton)
Date: Tue, 12 Jul 2011 20:59:41 -0700
Subject: Assertion failure from gnupg with enigmail 1.2
In-Reply-To: <87hb6q269p.fsf@vigenere.g10code.de>
References: <4E1B9DA0.2090602@dougbarton.us> <4E1C9BD8.1070404@dougbarton.us>
<4E1CC3CB.4040504@dougbarton.us>
<87hb6q269p.fsf@vigenere.g10code.de>
Message-ID: <4E1D182D.9010309@dougbarton.us>
On 07/12/2011 20:45, Werner Koch wrote:
> On Tue, 12 Jul 2011 23:59, dougb at dougbarton.us said:
>
>> It works, does it seem like the right thing to do?
>
> Yes, this patch is correct. I was not aware that FreeBSD jumped to
> Libgcrypt 1.5.0 so fast ;-).
We rock. :)
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
From mhaber at vp44.com Wed Jul 13 10:02:11 2011
From: mhaber at vp44.com (Marc Haber)
Date: Wed, 13 Jul 2011 10:02:11 +0200
Subject: Invoking gpg2.exe from C# script
In-Reply-To: <4E1C84ED.5010405@sixdemonbag.org>
References: <41404f2241973603a45217158e0ff03a.squirrel@webmail.vp44.net>
<4E1C84ED.5010405@sixdemonbag.org>
Message-ID:
On Tue, July 12, 2011 7:31 pm, Robert J. Hansen wrote:
> On 7/12/11 10:48 AM, Marc Haber wrote:
>> I would like the user to avoid typing the password each time, but I'm
>> not sure of how to call gpg2.exe while providing the passphrase on
>> the command line.
>
> I'd suggest using P/Invoke on GPGME. Doing this from within managed
> code is going to bring you nothing but tears.
>
>
Thanks. That's exactly what I was looking for.
Any good examples you can point me to?
MH
From rjh at sixdemonbag.org Wed Jul 13 13:52:32 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 13 Jul 2011 07:52:32 -0400
Subject: Invoking gpg2.exe from C# script
In-Reply-To:
References: <41404f2241973603a45217158e0ff03a.squirrel@webmail.vp44.net>
<4E1C84ED.5010405@sixdemonbag.org>
Message-ID:
> Any good examples you can point me to?
Examples of what? P/Invoke? For that, check MSDN. (If you Google "p/invoke," it's the third or fourth link.) Of GPGME? Check the documentation.
Of using P/Invoke with GPGME? Not aware of any: the technique is sufficiently straightforward, once you understand P/Invoke and GPGME, that it doesn't need much documentation.
From lists at chrispoole.com Wed Jul 13 13:28:50 2011
From: lists at chrispoole.com (Chris Poole)
Date: Wed, 13 Jul 2011 12:28:50 +0100
Subject: Why sign as well as encrypt files stored on untrusted drives?
Message-ID:
Hi
Say I encrypt a file to myself using my public key, and only I will
ever need or want to access the plaintext. The file will be stored on
an untrusted drive somewhere. I don't care about authenticity, in the
sense that I'll never need to prove to someone else that it was
actually I that sent that file. All I care is that I can get the
plaintext, and no-one else can.
I've read that it's a good idea to sign this file too, but I'm not sure why.
Surely if the file is changed then I've lost that data anyway, and the
file will fail to decrypt.
Is there some feasible attack that could change the encrypted data in
such a way that I won't notice it when I decrypt the file, but somehow
the file will still decrypt?
Thanks
Chris Poole
PGP key: BAD246F9
From rjh at sixdemonbag.org Wed Jul 13 14:45:49 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 13 Jul 2011 08:45:49 -0400
Subject: Why sign as well as encrypt files stored on untrusted drives?
In-Reply-To:
References:
Message-ID: <695E31C0-93B4-43DD-9296-5931C45FC962@sixdemonbag.org>
> I've read that it's a good idea to sign this file too, but I'm not sure why.
In case your needs change in the future. That's really all there is to it.
(Also, where did you read this?)
From lists at chrispoole.com Wed Jul 13 15:04:00 2011
From: lists at chrispoole.com (Chris Poole)
Date: Wed, 13 Jul 2011 14:04:00 +0100
Subject: Why sign as well as encrypt files stored on untrusted drives?
In-Reply-To: <695E31C0-93B4-43DD-9296-5931C45FC962@sixdemonbag.org>
References:
<695E31C0-93B4-43DD-9296-5931C45FC962@sixdemonbag.org>
Message-ID:
On Wed, Jul 13, 2011 at 1:45 PM, Robert J. Hansen wrote:
> In case your needs change in the future. ?That's really all there is to it.
OK thanks. I won't bother then, as it's more hassle to have to type my
passphrase each time (I don't want to keep it on the agent).
> (Also, where did you read this?)
I can't remember, but possibly some Duplicity documentation. It's a backup
program that uses gpg for encryption, and allows for both encryption and
signing.
Cheers
Chris Poole
[PGP BAD246F9]
From jerome at jeromebaum.com Wed Jul 13 15:04:37 2011
From: jerome at jeromebaum.com (Jerome Baum)
Date: Wed, 13 Jul 2011 15:04:37 +0200
Subject: Why sign as well as encrypt files stored on untrusted drives?
In-Reply-To:
References:
Message-ID:
> Say I encrypt a file to myself using my public key,
> Is there some feasible attack that could change the encrypted data in
> such a way that I won't notice it when I decrypt the file, but somehow
> the file will still decrypt?
You've said it yourself. The attack is to encrypt something else to
your public key.
--
Jerome Baum
Hessenweg 222
48432 Rheine
GERMANY
tel +49-1578-8434336
email jerome at jeromebaum.com
web www.jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
--
Q: Why is this email five sentences or less?
A: http://five.sentenc.es
From jerome at jeromebaum.com Wed Jul 13 15:10:34 2011
From: jerome at jeromebaum.com (Jerome Baum)
Date: Wed, 13 Jul 2011 15:10:34 +0200
Subject: Why sign as well as encrypt files stored on untrusted drives?
In-Reply-To:
References:
<695E31C0-93B4-43DD-9296-5931C45FC962@sixdemonbag.org>
Message-ID:
> OK thanks. I won't bother then, as it's more hassle to have to type my
> passphrase each time (I don't want to keep it on the agent).
Have you considered a separate key for the signature?
--
Jerome Baum
Hessenweg 222
48432 Rheine
GERMANY
tel +49-1578-8434336
email jerome at jeromebaum.com
web www.jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
--
Q: Why is this email five sentences or less?
A: http://five.sentenc.es
From dshaw at jabberwocky.com Wed Jul 13 15:48:50 2011
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed, 13 Jul 2011 09:48:50 -0400
Subject: Why sign as well as encrypt files stored on untrusted drives?
In-Reply-To:
References:
Message-ID:
On Jul 13, 2011, at 7:28 AM, Chris Poole wrote:
> Hi
>
> Say I encrypt a file to myself using my public key, and only I will
> ever need or want to access the plaintext. The file will be stored on
> an untrusted drive somewhere. I don't care about authenticity, in the
> sense that I'll never need to prove to someone else that it was
> actually I that sent that file. All I care is that I can get the
> plaintext, and no-one else can.
>
> I've read that it's a good idea to sign this file too, but I'm not sure why.
>
> Surely if the file is changed then I've lost that data anyway, and the
> file will fail to decrypt.
>
>
> Is there some feasible attack that could change the encrypted data in
> such a way that I won't notice it when I decrypt the file, but somehow
> the file will still decrypt?
Yes. This was an concern in early PGP that was addressed in OpenPGP. Given the sort of encryption used (CFB), it was possible to chop/mangle the end of an encrypted blob and still have it decrypt properly. A contrived example would be "Hey, give $1,000,000 to Fred. Just kidding!". Fred could then arrange to mangle the end. (It's not that simple, as there are other issues involved, and Fred has to get access to the file anyway, etc, etc, but you get the idea).
Signing does eliminate this possible problem, yes, which is possibly why you saw that advice out there (though you have to remember to check the signature). However, OpenPGP has a built-in protection for this sort of thing: the MDC. This is a hash of the message contents, included in the encrypted message, that protects against message tampering like this. When decrypting, you would see something like "WARNING: encrypted message has been manipulated!" if the MDC turned out bad. The MDC has been on by default for many years now, so it is likely you have it enabled for your key, unless it is very old. To check, run:
gpg --edit-key (yourkey) showpref
Look in the "Features" line for "MDC".
So short answer is that you most likely don't need to sign your files just to avoid tampering - there was a reason for signing at one point, but it's no longer there.
Back to your original issue though, note that if Fred can get access to your (untrusted) drive, he can just replace the whole file with whatever he likes (since he just needs your public key to encrypt a new file), with no fussy message tampering needed. That may or may not be an issue in your situation. Signing does help there since Fred presumably doesn't have access to your secret key.
David
From aaron.toponce at gmail.com Wed Jul 13 16:09:55 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Wed, 13 Jul 2011 08:09:55 -0600
Subject: Why sign as well as encrypt files stored on untrusted drives?
In-Reply-To:
References:
Message-ID: <20110713140955.GP1758@poseidon.cocyt.us>
On Wed, Jul 13, 2011 at 12:28:50PM +0100, Chris Poole wrote:
> Surely if the file is changed then I've lost that data anyway, and the
> file will fail to decrypt.
Not true. If the drive is an untrusted drive, then you must assume others
have access to the data. Because all that is needed is your public key to
encrypt data to you, the encrypted file could be replaced by another
encrypted file, and you would be none the wiser until you decrypted it.
Signing the file requires access to your private key, something you should
only have access to.
However, even if the file is signed, that still doesn't prevent someone
from replacing the file. After all, it is an untrusted drive. But, at least
the signature could be a preventative measure you could take before
decryption, to ensure that the file is indeed the one you encrypted
yourself.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From lists at chrispoole.com Wed Jul 13 17:27:29 2011
From: lists at chrispoole.com (Chris Poole)
Date: Wed, 13 Jul 2011 16:27:29 +0100
Subject: Why sign as well as encrypt files stored on untrusted drives?
In-Reply-To:
References:
Message-ID:
On Wed, Jul 13, 2011 at 2:04 PM, Jerome Baum wrote:
> You've said it yourself. The attack is to encrypt something else to your
> public key.
You're right. Somehow I hadn't thought about someone being able to simply
encrypt a file with the same filename as an existing file to me, with some
nefarious content.
A separate encrypted file is kept, storing a manifest of the backed up files
(i.e., which file is in which encrypted container), so I think it'd be more
along the lines of getting lucky, since the program (Duplicity) would realise
that a file that should be in a certain container isn't, or something extra is
there in its place.
> Have you considered a separate key for the signature?
I use a separate signing key anyway, for all my signatures. How would using a
separate key help here?... I'd still need to give my passphrase somehow.
Cheers
Chris Poole
[PGP BAD246F9]
From lists at chrispoole.com Wed Jul 13 17:34:55 2011
From: lists at chrispoole.com (Chris Poole)
Date: Wed, 13 Jul 2011 16:34:55 +0100
Subject: Why sign as well as encrypt files stored on untrusted drives?
In-Reply-To:
References:
Message-ID:
On Wed, Jul 13, 2011 at 2:48 PM, David Shaw wrote:
> Look in the "Features" line for "MDC".
My key does indeed have this feature; thanks for the informative reply.
> Back to your original issue though, note that if Fred can get access to your
> (untrusted) drive, he can just replace the whole file with whatever he likes
> (since he just needs your public key to encrypt a new file), with no fussy
> message tampering needed. ?That may or may not be an issue in your
> situation. ?Signing does help there since Fred presumably doesn't have access
> to your secret key.
I had failed to realise this, somehow. A separate manifest file (also encrypted)
keeps track of which encrypted containers hold which files, so the attack is
definitely harder (or at least more noticeable). I think it's still best to sign
though, just to remove more possible attack vectors.
Cheers
Chris Poole
[PGP BAD246F9]
From Roland.Lorenz at commerzbank.com Wed Jul 13 14:49:26 2011
From: Roland.Lorenz at commerzbank.com (Lorenz, Roland)
Date: Wed, 13 Jul 2011 14:49:26 +0200
Subject: BUG 1253 hace 8 horas *** No rule to make target
`../cipher/libcipher.a', needed by `gpgsplit'. Stop chatting diegoas
Message-ID: <333F42CEF4600645A5546B1DA78297900B03A221@SE002593.cs.commerzbank.com>
Hi,
I tried to build gnupg-1.4.11 on a local Solaris 10 zone and got the same error as described in bug 1253:
make[1]: *** No rule to make target `../cipher/libcipher.a', needed by `gpgsplit'. Stop.
I could not resolve the problem by using a current gnu make instead of the Solaris make.
The problem is stated as "solved" in your tasklist, but unfortunately I cannot look into the solution.
Please assist.
Mit freundlichen Gr??en
Roland Lorenz
Commerzbank AG
Group Information Technology
GS-ITR 3.2.1 - SAP Technical Services
Postanschrift: 60261 Frankfurt am Main
Gesch?ftsr?ume: Mainzer Landstr. 155, 60327 Frankfurt am Main
DLZ4 05.66.228
Tel.: +49 69 136 - 459 23
roland.lorenz at commerzbank.com
http://www.commerzbank.de
Commerzbank Aktiengesellschaft, Frankfurt am Main
Handelsregister/Commercial Register: Amtsgericht Frankfurt am Main, HRB 32000
Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Klaus-Peter M?ller
Vorstand/Board of Managing Directors: Martin Blessing (Vorsitzender/Chairman),
Frank Annuscheit, Markus Beumer, Achim Kassow, Jochen Kl?sges, Michael Reuther,
Stefan Schmittmann, Ulrich Sieber, Eric Strutz, Martin Zielke
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From aaron at aaronkaufman.com Thu Jul 14 04:07:43 2011
From: aaron at aaronkaufman.com (Aaron Kaufman)
Date: Wed, 13 Jul 2011 19:07:43 -0700
Subject: keysigning parties
Message-ID: <20110714020743.GB86502@epic.fisix.net>
Hello,
This is my first post to this list so please excuse me if i violate any
etiquette. I am having a really hard time finding any *current* info on
key signing parties. I was wondering if someone could point me in the
right direction.
Thanks,
--
Aaron
From jerome at jeromebaum.com Thu Jul 14 05:58:50 2011
From: jerome at jeromebaum.com (Jerome Baum)
Date: Thu, 14 Jul 2011 05:58:50 +0200
Subject: Why sign as well as encrypt files stored on untrusted drives?
In-Reply-To:
References:
Message-ID:
>> Have you considered a separate key for the signature?
>
> I use a separate signing key anyway, for all my signatures. How would using a
> separate key help here?... I'd still need to give my passphrase somehow.
You mentioned not wanting to keep the passphrase in gpg-agent. That
problem might disappear with a separate key.
On the manifest file, if you're hashing the encrypted files then it's
really useless (the attacker can just re-hash and re-encrypt for the
manifest file). However, it can still be useful -- if you sign only
the manifest file, you only have to enter your passphrase once, and
you can still verify a given file.
(Watch out though: You have to make sure all the files are authentic
before you hash them -- e.g. by checking the old hashes -- but what
happens if I replace a file just after you've verified it but before
you're about to re-hash it? Kind of like a bait-and-switch.)
--
Jerome Baum
Hessenweg 222
48432 Rheine
GERMANY
tel +49-1578-8434336
email jerome at jeromebaum.com
web www.jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
--
Q: Why is this email five sentences or less?
A: http://five.sentenc.es
From dshaw at jabberwocky.com Thu Jul 14 06:14:12 2011
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 14 Jul 2011 00:14:12 -0400
Subject: keysigning parties
In-Reply-To: <20110714020743.GB86502@epic.fisix.net>
References: <20110714020743.GB86502@epic.fisix.net>
Message-ID: <8FA3936F-45CB-4EDC-B7FF-5CFB4562A6E3@jabberwocky.com>
On Jul 13, 2011, at 10:07 PM, Aaron Kaufman wrote:
> Hello,
>
> This is my first post to this list so please excuse me if i violate any
> etiquette. I am having a really hard time finding any *current* info on
> key signing parties. I was wondering if someone could point me in the
> right direction.
Are you looking to find a party to get your key signed? If so, check out www.biglumber.com. That has both individual people as well as events (parties).
Are you looking for information about what happens at the parties (i.e. the keysigning protocols)? If so, check out the "methods" links under www.keysigning.org. That site has some event info as well.
There are other sites, but those are good starting points.
David
From rjh at sixdemonbag.org Thu Jul 14 06:15:47 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 14 Jul 2011 00:15:47 -0400
Subject: keysigning parties
In-Reply-To: <20110714020743.GB86502@epic.fisix.net>
References: <20110714020743.GB86502@epic.fisix.net>
Message-ID: <65D194CC-C6E1-489B-955D-D592AEEBB9FE@sixdemonbag.org>
> I am having a really hard time finding any *current* info on
> key signing parties. I was wondering if someone could point me in the
> right direction.
What sort of information do you need?
If it's, "how do I find one?", the best answer is, "throw one!" Turn it into a social event: do something like host a doubleheader of _Sneakers_ and _The Conversation_, tell people to BYOB and bring printed slips with their certificate fingerprints.
If it's, "how do we share certificate fingerprints quickly?", the general protocol is this. Before the party, everyone gets told a headcount for attendees. Each participant is required to bring a number of printed copies of their fingerprint. Each copy has the person's name, the identity documents they'll be presenting, and their preferred email address. (I have my email address and fingerprint on my business cards: for me, I just write down "passport + DL" on the back and I'm done.)
At the party, divide the attendees into two equal groups. Assemble them into two lines facing each other. Each pair of people verify each other's identity documents and pockets the other person's fingerprint slip. If for whatever reason you want to reject an identity document, you put a strikethrough on that part of the slip.
After a couple of minutes, each pair of people will be finished. The line moves down one, and the person who just 'fell off the end' cycles back to the first position. Repeat this until the entire line has been completed.
* Why paper slips? -- because the fingerprint is really all you need to circulate: with the fingerprint the recipient can find it on the keyservers. Also, if you share media you open the door for propagating malware, and that's a Bad Thing.
* Why put the documents you're presenting on each slip? -- because if you're collecting papers and fingerprints from 25 other people, it's handy to have a way to remember, "ah, right, key 0xD6B98E10 -- I saw Rob's passport and his driver's license." This sort of information is useful: it may enter into some people's security models.
* Why reject documents? -- because people are allowed to have their own security policies, and some people may say, "I don't know what a valid Connecticut driver's license looks like, so I'm going to reject this DL because I have no way of telling if it's real."
From dkg at fifthhorseman.net Thu Jul 14 06:28:24 2011
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Thu, 14 Jul 2011 00:28:24 -0400
Subject: keysigning parties
In-Reply-To: <8FA3936F-45CB-4EDC-B7FF-5CFB4562A6E3@jabberwocky.com>
References: <20110714020743.GB86502@epic.fisix.net>
<8FA3936F-45CB-4EDC-B7FF-5CFB4562A6E3@jabberwocky.com>
Message-ID: <4E1E7068.60109@fifthhorseman.net>
On 07/14/2011 12:14 AM, David Shaw wrote:
> On Jul 13, 2011, at 10:07 PM, Aaron Kaufman wrote:
>
>> This is my first post to this list so please excuse me if i violate any
>> etiquette. I am having a really hard time finding any *current* info on
>> key signing parties. I was wondering if someone could point me in the
>> right direction.
>
> Are you looking to find a party to get your key signed? [...]
> Are you looking for information about what happens at the parties[...]
Are you looking for information about how a keysigning party is run
today? DebConf11 (starting in a little more than a week from today in
Bosnia) will have a KSP. Info on how it is being organized is here:
http://people.debian.org/~anibal/ksp-dc11/ksp-dc11.html
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL:
From rjh at sixdemonbag.org Thu Jul 14 06:43:50 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 14 Jul 2011 00:43:50 -0400
Subject: keysigning parties
In-Reply-To: <4E1E7068.60109@fifthhorseman.net>
References: <20110714020743.GB86502@epic.fisix.net>
<8FA3936F-45CB-4EDC-B7FF-5CFB4562A6E3@jabberwocky.com>
<4E1E7068.60109@fifthhorseman.net>
Message-ID: <6490D5AF-6EA0-4919-89AE-B9162B5FFE8B@sixdemonbag.org>
> Are you looking for information about how a keysigning party is run
> today?
If by "a" you mean "one particular," I have no objection: if by "a" you mean "in general," I object. :)
There are techniques that focus on "let's get this over with as soon as possible, even if it requires copious prep ahead-of-time and special equipment like projectors," and techniques that focus on "well, this is largely an ad-hoc thing, so let's depend on as little special equipment as possible, and a simple system that everyone understands." I think it's best to choose a method that fits your particular needs, and to err on the side of simplicity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 227 bytes
Desc: This is a digitally signed message part
URL:
From wk at gnupg.org Thu Jul 14 09:51:59 2011
From: wk at gnupg.org (Werner Koch)
Date: Thu, 14 Jul 2011 09:51:59 +0200
Subject: BUG 1253 hace 8 horas *** No rule to make target
`../cipher/libcipher.a', needed by `gpgsplit'. Stop chatting diegoas
In-Reply-To: <333F42CEF4600645A5546B1DA78297900B03A221@SE002593.cs.commerzbank.com>
(Roland Lorenz's message of "Wed, 13 Jul 2011 14:49:26 +0200")
References: <333F42CEF4600645A5546B1DA78297900B03A221@SE002593.cs.commerzbank.com>
Message-ID: <8739i91eqo.fsf@vigenere.g10code.de>
On Wed, 13 Jul 2011 14:49, Roland.Lorenz at commerzbank.com said:
> make[1]: *** No rule to make target `../cipher/libcipher.a', needed by `gpgsplit'. Stop.
>
> I could not resolve the problem by using a current gnu make instead of the Solaris make.
> The problem is stated as "solved" in your tasklist, but unfortunately I cannot look into the solution.
Right, there is a request on the mailing list but no follow-up. This is
usually a dependency problem; to work around it you may try
cd cipher
make
cd ../tools
make
cd ..
(Please see also http://gnupg.org/service.html).
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From lists at chrispoole.com Thu Jul 14 11:48:10 2011
From: lists at chrispoole.com (Chris Poole)
Date: Thu, 14 Jul 2011 10:48:10 +0100
Subject: Why sign as well as encrypt files stored on untrusted drives?
In-Reply-To:
References:
Message-ID:
On Thu, Jul 14, 2011 at 4:58 AM, Jerome Baum wrote:
> On the manifest file, if you're hashing the encrypted files then it's
> really useless (the attacker can just re-hash and re-encrypt for the
> manifest file).
Yes, Duplicity uses these message digests only as a checksum, to make
sure corruption didn't occur during network transfer (i.e., nothing
cryptographic).
Thanks for the help. I'm just going to get used to entering my
passphrase a little more!
Cheers
Chris Poole
[PGP BAD246F9]
From faramir.cl at gmail.com Sat Jul 16 03:01:48 2011
From: faramir.cl at gmail.com (Faramir)
Date: Fri, 15 Jul 2011 21:01:48 -0400
Subject: Why sign as well as encrypt files stored on untrusted drives?
In-Reply-To:
References:
Message-ID: <4E20E2FC.80709@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
El 13-07-2011 7:28, Chris Poole escribi?:
...
> Is there some feasible attack that could change the encrypted data
> in such a way that I won't notice it when I decrypt the file, but
> somehow the file will still decrypt?
Anyone that has a copy of your public key -and by definition, it is
public, and you included the KeyID on your message- can encrypt a file
to you. So, somebody could encrypt a different file to your public key,
and replace the encrypted file in the untrusted drive. You would be able
to decrypt it, and depending on the content of the file, maybe you would
not notice it is not the original file (imagine it is a list of email
addresses, with dozens of addresses, you would not notice if one is
missing, or if there is one extra address).
A signature would let you know easily if the file has changed.
But I'm not saying you should sign it, it is up to you. Princess Leia
would sign the message she loaded into R2D2, to prevent things like
"This is Red 5, I'm ready to fire my torpedoes, but... I don't see the
target, are you sure you have the right blueprints of Death Star?".
Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBCAAGBQJOIOL8AAoJEMV4f6PvczxAKZwH/jXUIZ/R9ul8g1jtmvplsCcu
sn4yTMbL0tLS7ubrlrd8IifjzLS193ryVB7fJcKZtZDEIt5MxeoRDXvWxpS3kMbn
i+ZLxR7rfb67yK+jMpSAGHORbPCOBY++ZlaYjJSw0gkP2IrStSvhbJphTOIfz9IN
LHi9nZkXMGcV2Ub1q3QI3UiIe+IEJD9qg0jJ0aL17DyZDtA1ZSeZO/hgq/2lApuW
12nDfXQ0IQvFvut2mNZ6Bri0XDhuJJC+2O6irqY1/w8nyDlZ3BRQ5YOKkQPMsrMt
dYdxDG2bFP5yr07ieaMpwHXfRr5lvNBaMt1chbQfbAfdjTuwltnya69Wcc3xY3c=
=A1Ad
-----END PGP SIGNATURE-----
From brewhaha at freenet.edmonton.ab.ca Mon Jul 18 21:57:35 2011
From: brewhaha at freenet.edmonton.ab.ca (Jay Litwyn)
Date: Mon, 18 Jul 2011 13:57:35 -0600
Subject: Can version 1.4.11 be configured to use IDEA?
Message-ID: <4E24902F.5030609@freenet.edmonton.ab.ca>
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp
owGbwMvMwMQoZ50153pJwzfGtYyTk7jTC9JLi1OL9EoqSvxU+rL8ixRS8hU8FfJS
U1MUSvIVgHIKZalFxZn5eQqGeiZ6lvZAyeLEcoVEhdzU4uLE9FSQqpKMVIXUtLTU
5BIgM7EEolKhPDMnB2xAZkpqol5KTo6eQnC+QlpikQ7QjIzEMoWk1NQ8hdK8xKQc
sCnJ+XlpmemlRalg/YaGMPvB2hVCMjKLFYAoUSEtMy9VoTw1Jzk/NxXZFSB/FCvk
pykEuAdA3JEINCs3M70osSQzLx2kJDUvMz03MTNHIS2/COzq4ozU1CKFgvxyIAnU
CXRCGVBNal5yqkJiXopCWk5qRWZSZk5mSaWCRnJ+aUEOMFjKM0sywJrTEmEehpub
kp9arJCXX6KQm5+SmVYJd15xfmlRcqqmFS9XtKdfmKOPp4uCs2eAh2uQgr+fQkCQ
Z5hjiKuCt2ukXmwnw1RmVgZQXMAjimnxMuZ/VhNaJq84N6P4ys3oaUd19W1PzHYT
aTYWif+9rTY/+O2B5+/2GH5oLWqaJtyx6MBB/onbDT7uNv+/3/rjkff35gdciMsI
TZDm43J3EjHfZFujczfTLKJwy7fQTwkx396p1rP5VV/jZa/brnX6wqKN89l9xOLY
Fj2a1p3v9ZvJLXRNbcyVa5+zAQ==
=arjT
-----END PGP MESSAGE-----
From johanw at vulcan.xs4all.nl Mon Jul 18 23:04:20 2011
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Mon, 18 Jul 2011 23:04:20 +0200
Subject: Can version 1.4.11 be configured to use IDEA?
In-Reply-To: <4E24902F.5030609@freenet.edmonton.ab.ca>
References: <4E24902F.5030609@freenet.edmonton.ab.ca>
Message-ID: <4E249FD4.9070603@vulcan.xs4all.nl>
On 18-07-2011 21:57, Jay Litwyn wrote:
> Or do I need to use version 1.4.9?
I have no problem using idea.dll with 1.4.11. I didn't need to change
anything to the config file, just the line
load-extension c:\program files\gnu\gnupg\idea.dll
with the correct path to idea.dll of course, and including the .dll
extension.
--
Met vriendelijke groet,
Johan Wevers
From expires2011 at ymail.com Mon Jul 18 23:16:34 2011
From: expires2011 at ymail.com (MFPA)
Date: Mon, 18 Jul 2011 22:16:34 +0100
Subject: Can version 1.4.11 be configured to use IDEA?
In-Reply-To: <4E24902F.5030609@freenet.edmonton.ab.ca>
References: <4E24902F.5030609@freenet.edmonton.ab.ca>
Message-ID: <131304231.20110718221634@my_localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi
On Monday 18 July 2011 at 8:57:35 PM, in
, Jay Litwyn wrote:
> Or do I need to use version 1.4.9? I saw a message to the effect
> that 1.4.9 will use idea.dll. So far, I hav been unable to configure
> 1.4.11 to use idea.
Including the following line in my gpg.conf file works here:-
load-extension [PATH]\idea.dll
Replace "[PATH]" with the actual path to your idea.dll file.
I am using v1.4.11 under Windows XP. I don't normally use idea.dll but
just tried and including that line still works (insofar as it causes
IDEA to appear in the cipher list when I type gpg --version).
- --
Best regards
MFPA mailto:expires2011 at ymail.com
A bird in the hand makes it awfully hard to blow your nose
-----BEGIN PGP SIGNATURE-----
iQE7BAEBCgClBQJOJKK6nhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pipMEAJzj
8ct8grtXtubXn8SDnJzVl0Os9GSJUJllKC7nGBGcoxbiiyCxymKkxk080+U8INE5
YLzGMt6mN/M8GUTgW+PXwVoV56hlbbzt+kRXw9BKyneM562F49BvCS5A3xIh4IDX
c8y36YZLuiR0BTZRKhBMRkFpiTwN29pXIc9Ov4Fa
=nCdA
-----END PGP SIGNATURE-----
From johanw at vulcan.xs4all.nl Tue Jul 19 00:13:30 2011
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Tue, 19 Jul 2011 00:13:30 +0200
Subject: Can version 1.4.11 be configured to use IDEA?
In-Reply-To: <4E24A976.8030103@freenet.edmonton.ab.ca>
References: <4E24902F.5030609@freenet.edmonton.ab.ca>
<4E249FD4.9070603@vulcan.xs4all.nl>
<4E24A976.8030103@freenet.edmonton.ab.ca>
Message-ID: <4E24B00A.4010303@vulcan.xs4all.nl>
On 18-07-2011 23:45, Jay Litwyn wrote:
> I tried that. Because I sometimes use gpg from the command line, my configuration line reads:
> load-extension c:\gnupg\idea.dll
> It doesn't work, even if I move gpg.conf to my pub directory: I still get "invalid cipher" from trying to decrypt my own private key. And like, hey!, to the other guy who replied, no point is in a signature with more than 128 bits, either: SHA512 is incompatible with gpg 1.2.2: Computer's can't even count to 2^64 in less than 2^32 seconds.
On Windows you have to put gpg.conf somewhere in your homedir, it
depends on the Windows version where that exactly is. gpg --version
shows you which gpg.conf it is using.
--
Met vriendelijke groet,
Johan Wevers
From brewhaha at freenet.edmonton.ab.ca Tue Jul 19 02:40:22 2011
From: brewhaha at freenet.edmonton.ab.ca (Jay Litwyn)
Date: Mon, 18 Jul 2011 18:40:22 -0600
Subject: Can version 1.4.11 be configured to use IDEA?
In-Reply-To: <4E24B00A.4010303@vulcan.xs4all.nl>
References: <4E24902F.5030609@freenet.edmonton.ab.ca> <4E249FD4.9070603@vulcan.xs4all.nl> <4E24A976.8030103@freenet.edmonton.ab.ca>
<4E24B00A.4010303@vulcan.xs4all.nl>
Message-ID: <4E24D276.1040306@freenet.edmonton.ab.ca>
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp
owGdVU2IHEUUTrLGnyUDOQlGlGcSSJb09Ez3TDabVhZndyaTibM7w86uy0oS6Omu
6S7T3dVUV2+nIWggsuIhIAkiUS/ecvEigoIgiAej3uLBnBQEDzEgXowGc/BV9f5E
RaIOQ/9UvffVe9/73uvXS2Pbdmx/8ukX3/lGnL+9/b2HouEuL/bShPCaLs6K+f3X
H+hFYFYNo1w9UjamoG4ZNejPaXCC+XYEy2SV8AQyzgSxSuPTgNbGlLSVPmDWrPph
tLVz6FKR5dGWJf6noQOCU+KC8G2hwwxxbDwaVxMWEkFDkoB8x4hgxFmIZgQcFoZ2
5EJAI6IpkDDHxWhEvZTbgrJIbQEntptYyiBgtlsmZwWJErntWCe9KI29k9Qltu4G
QRGKAJeRJDogIGP8jAaYWQR0hNGEbFUFoctjQDB5YpwOwaWcOILx3IKOwkgEDQLw
iIC9NFq1A+qCQ2Of8L3r8fOcRp5EcInD81hIJJZFEHO6agsCZ0iuK6SGyvAM0cAn
+VOadJHJM7xw8NIcMp9hinGA7GkQMYgZjQTQBGgENiTUi2yRcqLAMip8TIITyTPW
x5yCIRUJpkglngWD443Dhll4I78x0jgMSOEnyTd0UzcLLmdxOxWEH0jAsSVZiiaH
pXg6BmmenqzLEAKSJMVp5umaCQlB6txEL+ouRbJMI5dlCeQsBd9GftEZgbdolhLI
MDoi4dCKg48rSLkGVEgQl8QEMQErKqnZAJR6lFUufKWwgJy1HRHkmJ+u0imX140k
TOJvhJH51PG3AqCKzjTBihVxl8al88F2lPbbEwUnpfFZFuecer6Ag7MT2CjVGhzj
hMCAjURmYwTHkBpX6VKDTuQg1KKPuDFnHrdDKWdUuWK6MTPodZcWW90VmO/BcmNh
oTG/uLLhgP+RBE7WgTWQXSDjlqdkJJBIkkWOJCXYVkMsk6IKz0fROIQLm8pSRS6V
4SAZA0IUdyOK1Z7t9Vc6820YMY7com0g61UaP464FjZNRTVNaXyQxjHjArvWDjzG
MfJQ9lk/HaJ6LVgYNDR5KbeK20CDVrct35pyB5+RNNUU2DXNFi7Vmi00mm0MFnFU
zHR7y8c6g+MaNOQqXoyjprqbhyc1WFzuyV2Myk58C+aa6ILqNfCsTr811zQmq2oB
jWVtwpijEDFZC5aUsuWr7JgXOn28dDszMsM/F9bUq7pxBF9jr54hYaZu6NWJ0nhA
h17RtIZe1yf/Xnqcd/crfZc6OIQItPvd1dohC9rzS/J5U7Q1QPIDnAQcnvGFiK2K
ZF1n3KsEhWtS8eJA90UYTP+DMKxNUahlVISDfegRpZe/iEOJS/VYcq/mNueNGpoC
YsJDKmTJhzmGl92ji1mr0mROGqJZok4YECGwZZJKL4sIrzRinFFOMZebtrD/i4pQ
K0o1W4L5H1KR5nOtbrfTwLmHHwxY/22uSp+NFyWb+0tL3WtTdW19chbrZv3fSQ4j
x2dTcvjatjfGdm6TX9nNb/COxxfGfn/wlS/Xrnx14lK9fO6tXQ9f/e2Td1uPXj9x
bc/unS99/OrdU5+fu7G2Z/fRRyaev8mCQT79/tjVt3/6ds+l+nPVO7dr+2/tm3/z
3Iqz9umSe/fXHe9dfOy7q7cufrj8/Y1Wf+fazxeub9+7m104//WhuSfq+65d/qU9
9XLjsx+1L+5cOfXsRfrR5Q9u/vAH
=f5VZ
-----END PGP MESSAGE-----
From rjh at sixdemonbag.org Tue Jul 19 03:57:24 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 18 Jul 2011 21:57:24 -0400
Subject: Can version 1.4.11 be configured to use IDEA?
In-Reply-To: <4E24D276.1040306@freenet.edmonton.ab.ca>
References: <4E24902F.5030609@freenet.edmonton.ab.ca> <4E249FD4.9070603@vulcan.xs4all.nl> <4E24A976.8030103@freenet.edmonton.ab.ca>
<4E24B00A.4010303@vulcan.xs4all.nl>
<4E24D276.1040306@freenet.edmonton.ab.ca>
Message-ID: <83B1D3E9-88C1-4A0D-8F0A-1411C8A9388D@sixdemonbag.org>
Is there some particular reason why you send messages in an obfuscated format?
That said: on Windows you can usually find it in %APPDIR%\Roaming\GnuPG, at least for Win 7. Otherwise, I'd suggest familiarizing yourself with Windows' facilities to search for a file by filename, and search through %APPDIR% looking for gpg.conf.
Also, you really ought consider upgrading. 1.2.2 is really, really old. Many bugfixes have come and gone since then.
From brewhaha at freenet.edmonton.ab.ca Tue Jul 19 09:45:43 2011
From: brewhaha at freenet.edmonton.ab.ca (Jay Litwyn)
Date: Tue, 19 Jul 2011 01:45:43 -0600
Subject: Can version 1.4.11 be configured to use IDEA?
In-Reply-To: <4E24B00A.4010303@vulcan.xs4all.nl>
References: <4E24902F.5030609@freenet.edmonton.ab.ca> <4E249FD4.9070603@vulcan.xs4all.nl> <4E24A976.8030103@freenet.edmonton.ab.ca>
<4E24B00A.4010303@vulcan.xs4all.nl>
Message-ID: <4E253627.6010603@freenet.edmonton.ab.ca>
Looks like the answer to my question iz: Not legally. I was thinking
that IDEA was more than ten years old, which I thot meant that the
patent on it was expired. Silly me, though, looks like patent law
changed for about seven more years of length. So, while I'm waiting for
six months or whatever, I might az well change the password (and
encryption algo) on my private key with gpg 1.2.2., and then migrate to
1.4.11.
Hopefully, I can use the same key with PDF. Kuz, if not, then I *do*
know how to convert PDF keys (S/MIME) to PGP format, and I want only one
key for everything. I revoked a subkey before I realized that people
need it to encrypt messages to me.
_______
http://ecn.ab.ca/~brewhaha/
From brewhaha at freenet.edmonton.ab.ca Tue Jul 19 10:55:11 2011
From: brewhaha at freenet.edmonton.ab.ca (Jay Litwyn)
Date: Tue, 19 Jul 2011 02:55:11 -0600
Subject: Can version 1.4.11 be configured to use IDEA?
In-Reply-To: <4E253627.6010603@freenet.edmonton.ab.ca>
References: <4E24902F.5030609@freenet.edmonton.ab.ca> <4E249FD4.9070603@vulcan.xs4all.nl> <4E24A976.8030103@freenet.edmonton.ab.ca> <4E24B00A.4010303@vulcan.xs4all.nl>
<4E253627.6010603@freenet.edmonton.ab.ca>
Message-ID: <4E25466F.5000803@freenet.edmonton.ab.ca>
-----BEGIN PGP SIGNED MESSAGE-----
To make a long story short.
I created a key with jenuine pgp 10.
I exported it with IDEA.
I made gpg 1.2.2 work with IDEA.
Making gpg 1.4.11 work with IDEA failed.
I changed my pass-phrase using --crypt-algo CAST5 with 1.2.2.
Now, enigmail works, so I am one happy camper.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp
Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQCVAwUBTiVGbB47apzXdID2AQHQJAP+Mqmqu/58FHIT5os2t+B29Lgz+KFI8ctz
i2j/iB3GCwZT7GNEhj8QF1scc3nO/gPdkGChAReLpuX6Oe0OJiOSl5Yl0Q1jmP0R
zfcHkQeiRRhR4ZigjEkWpVMOWVQ0fZc/jeDlG5sGshS56Hdjh19iaNmi8u/PVne6
BTehLUUEqlg=
=mqIE
-----END PGP SIGNATURE-----
From j-001 at ottosson.nu Tue Jul 19 01:20:21 2011
From: j-001 at ottosson.nu (J. Ottosson)
Date: Tue, 19 Jul 2011 01:20:21 +0200
Subject: Where are those stubs..
Message-ID: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
An HTML attachment was scrubbed...
URL:
From Jared.Crain at alterian.com Tue Jul 19 21:09:33 2011
From: Jared.Crain at alterian.com (Crain, Jared)
Date: Tue, 19 Jul 2011 19:09:33 +0000
Subject: GPG on Windows 2003
Message-ID: <2E01A3BDA83B26498434DBEE8358E6F612A3A896@CH-INF-EXCH01.Alterian.com>
Hi, all. Please CC me on any replies, as I am not subscribed to the list.
I have GPG installed on a Windows 2003 server (32-bit). Looking in the install folder, it appears that it is GPG version 1.2.2.
I am having an issue when I try to decrypt a file whose decrypted size is greater than 2 GB. When encrypted, the file is smaller as it is encrypted and compressed. When I run the decryption, no error is output (output matches for files whose decrypted size is less than 2 GB; files that are decrypted successfully/completely). If the decrypted size is over 2 GB, the decryption takes place, and a file of exactly 2 GB is created. I have read elsewhere that GPG can decrypt files of effectively unlimited size. Here are my questions:
1) I wonder if this is related to the server being a 32-bit windows server (since each application can only address up to 2 GB of memory). However, it appears that GPG streams the decrypted results out, not holding the result in memory. Also, when watching the system performance while GPG is decrypting, I do not see a spike in memory usage. Is there something GPG is doing that might cause it to hit this limit? If it is GPG hitting some sort of 2 GB limit because of the OS, does anyone know of any work-arounds?
2) Do I need to upgrade to a more recent version of GPG? I see there is now something called "gpg4win 2.1.0". When I originally installed GPG on this server, I do not recall that being available. Is it actually GPG version 2.1.0, or is it GPG version 1.4.11 in gpg4 win version 2.1.0? And can I install this without wiping out my existing keychains, etc?
Many thanks for any feedback you can provide.
-Jared Crain
jared.crain at alterian.com
Jared Crain
Software Developer
+1 661 367 9966
+1 818 442 1752
Jared.Crain at alterian.com
Alterian | www.alterian.com | LSE:ALN
25152 Springfield Court, Suite 360, Valencia, CA 91355, USA | t: +1 661 367 9970 | f: +1 661 367 9969
[eBook] The 'How To' of Inbound Marketing: Four easy to follow guidelines for creating a winning inbound marketing strategy.
[Download] Creating Engaging Email - Segmentation and Targeting eBook by David Daniels, CEO of The Relevancy Group
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing Alterian client engagement contract. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended recipient please contact the sender and delete the message. Although Alterian has taken reasonable steps to ensure that this communication and any attachments are free from computer virus, you are advised to take your own steps to ensure that they are actually virus free.
Alterian plc is a Company registered in England and Wales, number 04007930, Registered office: The Spectrum Building, Bond Street, Bristol, BS1 3LG
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From Jared.Crain at alterian.com Tue Jul 19 21:39:00 2011
From: Jared.Crain at alterian.com (Crain, Jared)
Date: Tue, 19 Jul 2011 19:39:00 +0000
Subject: GPG on Windows 2003
Message-ID: <2E01A3BDA83B26498434DBEE8358E6F612A3A8F2@CH-INF-EXCH01.Alterian.com>
Many apologies! When I posted my question, I was laboring under some misinformation provided by the file's originator. The file was apparently inadvertently truncated before being transferred, but we did not know. When the originator supplied an un-truncated file, it did successfully decrypt to the correct size.
-Jared
Jared Crain
Software Developer
+1 661 367 9966
+1 818 442 1752
Jared.Crain at alterian.com
Alterian | www.alterian.com | LSE:ALN
25152 Springfield Court, Suite 360, Valencia, CA 91355, USA | t: +1 661 367 9970 | f: +1 661 367 9969
[eBook] The 'How To' of Inbound Marketing: Four easy to follow guidelines for creating a winning inbound marketing strategy.
[Download] Creating Engaging Email - Segmentation and Targeting eBook by David Daniels, CEO of The Relevancy Group
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing Alterian client engagement contract. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended recipient please contact the sender and delete the message. Although Alterian has taken reasonable steps to ensure that this communication and any attachments are free from computer virus, you are advised to take your own steps to ensure that they are actually virus free.
Alterian plc is a Company registered in England and Wales, number 04007930, Registered office: The Spectrum Building, Bond Street, Bristol, BS1 3LG
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From len.cooley at gmail.com Tue Jul 19 22:16:17 2011
From: len.cooley at gmail.com (Len Cooley)
Date: Tue, 19 Jul 2011 16:16:17 -0400
Subject: secring and dropbox
Message-ID:
Is it a bad idea to place your secring in dropbox?
From rjh at sixdemonbag.org Wed Jul 20 00:04:06 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 19 Jul 2011 15:04:06 -0700
Subject: secring and dropbox
In-Reply-To:
References:
Message-ID: <17eda62ac864207786588063b6f191eb@localhost>
> Is it a bad idea to place your secring in dropbox?
Depends entirely on the strength of your passphrase. With a strong enough
passphrase you could publish your secret certificates in the newspaper of
your choice and still be confident of their safety.
From rjh at sixdemonbag.org Wed Jul 20 00:14:07 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 19 Jul 2011 15:14:07 -0700
Subject: GPG on Windows 2003
In-Reply-To: <2E01A3BDA83B26498434DBEE8358E6F612A3A896@CH-INF-EXCH01.Alterian.com>
References: <2E01A3BDA83B26498434DBEE8358E6F612A3A896@CH-INF-EXCH01.Alterian.com>
Message-ID: <54ff7afc0ec1f0d891ccace05657e920@localhost>
> I have GPG installed on a Windows 2003 server (32-bit). Looking in the
> install folder, it appears that it is GPG version 1.2.2.
I would recommend upgrading. GnuPG currently comes in two 'flavors': the
1.4.x track, and the 2.0.x track. Speaking very broadly, 1.4.x is better
for servers, while 2.0.x is more suited for desktop deployments. Which one
you choose doesn't really matter so much, so long as you upgrade to either
1.4.11 or 2.0.17. :)
Version 1.2.2 is *old* -- like eight years old. It doesn't track the
latest changes to the OpenPGP standard, and many bugfixes have come and
gone since then.
> 2) Do I need to upgrade to a more recent version of GPG? I see there is
> now something called "gpg4win 2.1.0". When I originally installed GPG
on
> this server, I do not recall that being available. Is it actually GPG
> version 2.1.0, or is it GPG version 1.4.11 in gpg4 win version 2.1.0?
And
> can I install this without wiping out my existing keychains, etc?
Gpg4win may be in version 2.1, but the version of GnuPG shipped with it is
2.0.17 (I believe).
Existing key files and so forth may be migrated to a 2.x installation
quite easily.
From thajsta at gmail.com Tue Jul 19 23:24:05 2011
From: thajsta at gmail.com (Jonathan Ely)
Date: Tue, 19 Jul 2011 17:24:05 -0400
Subject: It Is Gone
Message-ID: <4E25F5F5.8030000@gmail.com>
Six days ago I received my machine from repair. I am now running Windows
7 Ultimate and am ready to get back into the Enigmail scene after
settling in with Firefox and Thunderbird. However, when I navigated to
the download page on GnuPG.org the familiar table was not there. Where
did the GnuPG package go? I do not like GPG4WIN because it installs all
that other inaccessible and unnecessary software not to mention it
installs GnuPG version 2 which requires that other thing that deals with
pass phrases and version 1.4.11 [the last version I used] was more easy
to work with. Can somebody please link to or refer me to the site that
contains the latest version 1 of GnuPG? Thanks.
From rjh at sixdemonbag.org Wed Jul 20 01:37:39 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 19 Jul 2011 19:37:39 -0400
Subject: It Is Gone
In-Reply-To: <4E25F5F5.8030000@gmail.com>
References: <4E25F5F5.8030000@gmail.com>
Message-ID: <4E261543.6010905@sixdemonbag.org>
On 7/19/11 5:24 PM, Jonathan Ely wrote:
> Can somebody please link to or refer me to the site that
> contains the latest version 1 of GnuPG? Thanks.
ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.11.exe
Enjoy!
From thajsta at gmail.com Wed Jul 20 01:50:35 2011
From: thajsta at gmail.com (Jonathan Ely)
Date: Tue, 19 Jul 2011 19:50:35 -0400
Subject: It Is Gone
In-Reply-To: <4E261543.6010905@sixdemonbag.org>
References: <4E25F5F5.8030000@gmail.com> <4E261543.6010905@sixdemonbag.org>
Message-ID: <4E26184B.5000606@gmail.com>
Thanks. I should have known better to ask before I copied an FTP's link
location from the page. They made it a bit more difficult for me since
they no longer link it directly but as long as the FTP server is still
in existence I should be able to find it.
On 19/07/2011 07:37 PM, Robert J. Hansen wrote:
> On 7/19/11 5:24 PM, Jonathan Ely wrote:
>> Can somebody please link to or refer me to the site that
>> contains the latest version 1 of GnuPG? Thanks.
>
> ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.11.exe
>
> Enjoy!
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xDA74EEF3.asc
Type: application/pgp-keys
Size: 3102 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL:
From karadenizi at gmail.com Wed Jul 20 02:18:16 2011
From: karadenizi at gmail.com (Kara)
Date: Tue, 19 Jul 2011 20:18:16 -0400
Subject: secring and dropbox
Message-ID: <4E261EC8.4060303@gmail.com>
====
Reference Robert J. Hansen's 19 Jul 2011, 1504 (-0700), "Re: secring
and dropbox":
>> Is it a bad idea to place your secring in dropbox?
> Depends entirely on the strength of your passphrase. With a strong
> enough passphrase you could publish your secret certificates in the
> newspaper of your choice and still be confident of their safety.
Using a decent password generator and specifying a mix of upper and
lower case letters, digits, and special characters, how many total
characters -- as a minimum -- would you recommend such a password be?
Any particular password generator program you would recommend?
====
From rjh at sixdemonbag.org Wed Jul 20 03:25:36 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 19 Jul 2011 21:25:36 -0400
Subject: secring and dropbox
In-Reply-To: <4E261EC8.4060303@gmail.com>
References: <4E261EC8.4060303@gmail.com>
Message-ID:
> Using a decent password generator and specifying a mix of upper and
> lower case letters, digits, and special characters, how many total
> characters -- as a minimum -- would you recommend such a password be?
Generate 16 random bytes, base-64 encode them, memorize the output. I use a Python script to generate high-value keys. Works pretty well wherever there's a /dev/random device that can be read. I'm sure there's a way to do it for Windows, but I almost always have a UNIX terminal handy so I haven't bothered. :)
I'm presenting the script here in case someone else finds it useful, but really, it's embarrassingly simple.
#!/usr/bin/env python
#coding=UTF-8
#
# genrandkey -- generates high-randomness 128-bit keys
#
# Contributed to the public domain.
#
# Be careful with this script: each time you run it you consume
# sixteen bytes from the system's high-entropy source. Only
# generate random keys when you need them!
#
# If you need to generate a lot of keys, you may want to use
# /dev/urandom instead. The keys won't quite be of as high
# quality, but should be plenty good enough for almost all
# purposes.
#
# Usage example:
#
# proverbs:~ rjh$ ./genrandkey
# EDTnI9Awc6Y19Rysg2+H+g==
from base64 import b64encode
if __name__=='__main__':
with open('/dev/random') as fh:
print b64encode(fh.read(16))
From aaron.toponce at gmail.com Wed Jul 20 03:28:00 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Tue, 19 Jul 2011 19:28:00 -0600
Subject: secring and dropbox
In-Reply-To:
References:
Message-ID: <20110720012800.GW312@poseidon.cocyt.us>
On Tue, Jul 19, 2011 at 04:16:17PM -0400, Len Cooley wrote:
> Is it a bad idea to place your secring in dropbox?
I guess it's all about security versus convenience. So long as your
passphrase contains enough entropy, is strong, and secure, then I don't see
the big deal.
With that said, I don't see the need either. You have the tools and
hardware available to you, at very cheap prices, to build your own cloud
storage on your own private network. We've had this for years. So why trust
some 3rd party to do it for you? Why risk, even a miniscule amount of
privacy when you don't have to?
Just my $0.02.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From aaron.toponce at gmail.com Wed Jul 20 03:32:30 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Tue, 19 Jul 2011 19:32:30 -0600
Subject: secring and dropbox
In-Reply-To: <4E261EC8.4060303@gmail.com>
References: <4E261EC8.4060303@gmail.com>
Message-ID: <20110720013230.GX312@poseidon.cocyt.us>
On Tue, Jul 19, 2011 at 08:18:16PM -0400, Kara wrote:
> > Depends entirely on the strength of your passphrase. With a strong
> > enough passphrase you could publish your secret certificates in the
> > newspaper of your choice and still be confident of their safety.
>
> Using a decent password generator and specifying a mix of upper and
> lower case letters, digits, and special characters, how many total
> characters -- as a minimum -- would you recommend such a password be?
I use https://passwordcard.org. It's 100% platform independent, and doesn't
require any software or hardware, outside of your wallet, which is likely
the mose secure possession on you. Find a starting location for your
password, pick a length and direction, and go. Of course, you're not
limited to straight lines, and you shouldn't do that anyway. Spirals,
"bouncing off walls", wrapping around the card, all sorts of options for
the direction. After typing in the password enough, you memorize it anyway.
And if someone gets access to your card, they need to know:
1. Accounts
2. Usernames
3. Starting location, direction, and length of each password
And, given the random hex string, you can reprint your card, should you
lose it.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From brewhaha at freenet.edmonton.ab.ca Wed Jul 20 03:57:01 2011
From: brewhaha at freenet.edmonton.ab.ca (Jay Litwyn)
Date: Tue, 19 Jul 2011 19:57:01 -0600
Subject: secring and dropbox
In-Reply-To: <4E261EC8.4060303@gmail.com>
References: <4E261EC8.4060303@gmail.com>
Message-ID: <4E2635ED.6000805@freenet.edmonton.ab.ca>
On 2011-07-19 6:18 PM, Kara wrote:
> ====
>
> Reference Robert J. Hansen's 19 Jul 2011, 1504 (-0700), "Re: secring
> and dropbox":
>
>>> Is it a bad idea to place your secring in dropbox?
>> Depends entirely on the strength of your passphrase. With a strong
>> enough passphrase you could publish your secret certificates in the
>> newspaper of your choice and still be confident of their safety.
> Using a decent password generator and specifying a mix of upper and
> lower case letters, digits, and special characters, how many total
> characters -- as a minimum -- would you recommend such a password be?
>
> Any particular password generator program you would recommend?
>
Your brain. You hav to remember it, so you are better off constructing
it in the first place. Remember that you will hav no automated retrieval
process, where a friendly program reminds you of your passphrase. It iz
almost a shame that the most retrievable things are sentences with
non-sensical images in them, like Harry Lorayne's pimple-moose for
pomplemouse, the french word for grapefruit: He would hav you imajin a
moose with giant grapefruit pimples to remember that french word. You
can then insert punctuation and numbers that don't go on facebook,
anywhere, cut some of words down to initials or consonants (or out, if
it's long enough). Then, add a pattern in your casing. There could be a
program like "crack" applied to input passwords, measuring strength. Of
course, if you are confident that your private key ring will never go
anywhere, and that you can revoke it if it does (JENERATE A REVOKATION
CERTIFICATE. Store it on that USB key that is chained into your coat.)
It would of course be a nuisance to hav someone publish your revokation
certificate, and nothing like losing money at Mark Twain Bank. If your
friends are good enough, then you can leave a revokation certificate
with them.
From holtzm at cox.net Wed Jul 20 03:25:51 2011
From: holtzm at cox.net (Robert Holtzman)
Date: Tue, 19 Jul 2011 18:25:51 -0700
Subject: Where are those stubs..
In-Reply-To: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
Message-ID: <20110720012551.GA12759@cox.net>
On Tue, Jul 19, 2011 at 01:20:21AM +0200, J. Ottosson wrote:
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
>
>
.........snip.........
>

>

>

>
>
Still with the HTML? This excerpt is from the Fedora mail list but it
applies to all lists:
No HTML Mail, Please
Set your mailer to send only plain text messages to the list (How? ).
Why? HTML is designed for web pages, not emails, and uses a lot more
bandwidth. Many list members actually block HTML because it is used for
malicious code.
Not only does HTML mail be used to run malicious scripts, but when using
handheld devices the time taken for the page to appear is also much
higher.
....and also http://www.georgedillon.com/web/html_email_is_evil.shtml
--
Bob Holtzman
If you think you're getting free lunch,
check the price of the beer.
Key ID: 8D549279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
From rjh at sixdemonbag.org Wed Jul 20 04:42:33 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 19 Jul 2011 22:42:33 -0400
Subject: Where are those stubs..
In-Reply-To: <20110720012551.GA12759@cox.net>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
<20110720012551.GA12759@cox.net>
Message-ID: <021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
> Still with the HTML? This excerpt is from the Fedora mail list but it
> applies to all lists:
It applies to those lists which have a policy on HTML mail identical to that of the Fedora mailing list. This is not the same as "all lists."
> Why? HTML is designed for web pages, not emails, and uses a lot more
> bandwidth.
This is a canard. Given most of the bandwidth is taken up by spam, the tiny fraction that you can save by shifting messages from HTML to raw text is utterly insignificant. It's a rounding error.
> Many list members actually block HTML because it is used for
> malicious code.
By that logic I should block plain text emails, based on how many malicious emails I get in those formats.
There are certainly reasons to avoid HTML email, but these reasons don't strike me as especially persuasive.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 227 bytes
Desc: This is a digitally signed message part
URL:
From jiangzuoyan at gmail.com Wed Jul 20 03:42:19 2011
From: jiangzuoyan at gmail.com (jiangzuoyan at gmail.com)
Date: Wed, 20 Jul 2011 09:42:19 +0800
Subject: secring and dropbox
In-Reply-To: <20110720012800.GW312@poseidon.cocyt.us>
References:
<20110720012800.GW312@poseidon.cocyt.us>
Message-ID:
I thinks it's a bad idea.
If exposure of private keys is acceptable, why not just using AES like
methods?
To backup private keys, I think printer is better, and more realiable than
dropbox like cloud storages. The security of dropbox is far from claimed,
don't trust them. see
http://techcrunch.com/2011/06/20/dropbox-security-bug-made-passwords-optional-for-four-hours/
and http://blog.dropbox.com/?p=821,
http://hardware.slashdot.org/story/11/05/15/2157202/Dropbox-Accused-of-Lying-About-Security
Changsheng Jiang
On Wed, Jul 20, 2011 at 09:28, Aaron Toponce wrote:
> On Tue, Jul 19, 2011 at 04:16:17PM -0400, Len Cooley wrote:
> > Is it a bad idea to place your secring in dropbox?
>
> I guess it's all about security versus convenience. So long as your
> passphrase contains enough entropy, is strong, and secure, then I don't see
> the big deal.
>
> With that said, I don't see the need either. You have the tools and
> hardware available to you, at very cheap prices, to build your own cloud
> storage on your own private network. We've had this for years. So why trust
> some 3rd party to do it for you? Why risk, even a miniscule amount of
> privacy when you don't have to?
>
> Just my $0.02.
>
> --
> . o . o . o . . o o . . . o .
> . . o . o o o . o . o o . . o
> o o o . o . . o o o o . o o o
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From aaron at aaronkaufman.com Wed Jul 20 04:35:16 2011
From: aaron at aaronkaufman.com (Aaron Kaufman)
Date: Tue, 19 Jul 2011 19:35:16 -0700
Subject: secring and dropbox
In-Reply-To:
References:
Message-ID: <20110720023515.GB8423@epic.fisix.net>
Hey all,
I'd like to just point this out. On June 20th Dropbox has a security snafu[1].
Why trust a 3rd party when you could do it yourself? When it comes to
security and privacy there isn't much transparency. Maybe postmortem but not
upfront.
[1] http://blog.dropbox.com/?p=821
[1] http://news.cnet.com/8301-31921_3-20072755-281/dropbox-confirms-security-glitch-no-password-required/
On 4:16:17PM, Len Cooley wrote:
> Is it a bad idea to place your secring in dropbox?
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
--
Aaron Kaufman
0BA9 4F79 6949 8CA5 36BD DF11 3A4A 17E9 9681 4D1C
From remco at webconquest.com Wed Jul 20 07:19:17 2011
From: remco at webconquest.com (Remco Rijnders)
Date: Wed, 20 Jul 2011 07:19:17 +0200
Subject: Where are those stubs..
In-Reply-To: <021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
<20110720012551.GA12759@cox.net>
<021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
Message-ID:
On Tue, Jul 19, 2011 at 10:42:33PM -0400, Robert J. Hansen wrote:
>> Still with the HTML? This excerpt is from the Fedora mail list but it
>> applies to all lists:
>
>It applies to those lists which have a policy on HTML mail identical to
>that of the Fedora mailing list. This is not the same as "all lists."
>
>> Why? HTML is designed for web pages, not emails, and uses a lot more
>> bandwidth.
>
>This is a canard. Given most of the bandwidth is taken up by spam, the
>tiny fraction that you can save by shifting messages from HTML to raw
>text is utterly insignificant. It's a rounding error.
True to some extent. But when you are on dialup or pay by the byte
wireless, it does make a difference when you are quickly checking your
mail and your mailserver / ISP has good spam filtering in place.
>> Many list members actually block HTML because it is used for
>> malicious code.
>
>By that logic I should block plain text emails, based on how many
>malicious emails I get in those formats.
>
>There are certainly reasons to avoid HTML email, but these reasons don't
>strike me as especially persuasive.
Still, the reason the original poster sent a mail to this list is to
solicit help. The HTML mail shows up as hardly readible on some mail
clients. While you might argue that that's a problem for the receiver and
not the sender, it does reduce the chances of getting a helpful reply from
someone who'd know the answer but can't be bothered to decypher the
unreadable HTML junk that arrived in their mailbox. The sender in that
case is the only person suffering from their HTML-only mail.
My 4KB of wasted bandwidth worth...
Remco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL:
From lists at meumonus.com Wed Jul 20 08:46:12 2011
From: lists at meumonus.com (Devin Fisher)
Date: Wed, 20 Jul 2011 06:46:12 +0000
Subject: Where are those stubs..
In-Reply-To: <021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu><20110720012551.GA12759@cox.net><021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
Message-ID: <1751996707-1311144374-cardhu_decombobulator_blackberry.rim.net-2040572897-@b1.c27.bise6.blackberry>
I prefer a homogeneous environment because once a plaintext user replies to an HTML message the HTML tags inundate the message and it becomes mostly unreadable. So in my opinion, either all plaintext or all HTML.
-Devin
-----Original Message-----
From: "Robert J. Hansen"
Sender: gnupg-users-bounces at gnupg.org
Date: Tue, 19 Jul 2011 22:42:33
To: Robert Holtzman
Cc: GnuPG-Users
Subject: Re: Where are those stubs..
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
From wk at gnupg.org Wed Jul 20 11:23:12 2011
From: wk at gnupg.org (Werner Koch)
Date: Wed, 20 Jul 2011 11:23:12 +0200
Subject: secring and dropbox
In-Reply-To: (Robert
J. Hansen's message of "Tue, 19 Jul 2011 21:25:36 -0400")
References: <4E261EC8.4060303@gmail.com>
Message-ID: <8739i1wbjz.fsf@vigenere.g10code.de>
On Wed, 20 Jul 2011 03:25, rjh at sixdemonbag.org said:
> I'm presenting the script here in case someone else finds it useful, but really, it's embarrassingly simple.
gpg --gen-random --armor 1 16
Might even be a bit simpler ;-)
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From david at gbenet.com Wed Jul 20 11:24:14 2011
From: david at gbenet.com (david at gbenet.com)
Date: Wed, 20 Jul 2011 10:24:14 +0100
Subject: Where are those stubs..
In-Reply-To: <1751996707-1311144374-cardhu_decombobulator_blackberry.rim.net-2040572897-@b1.c27.bise6.blackberry>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu><20110720012551.GA12759@cox.net><021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
<1751996707-1311144374-cardhu_decombobulator_blackberry.rim.net-2040572897-@b1.c27.bise6.blackberry>
Message-ID: <4E269EBE.7070805@gbenet.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Devin Fisher wrote:
> I prefer a homogeneous environment because once a plaintext user replies to an HTML message the HTML tags inundate the message and it becomes mostly unreadable. So in my opinion, either all plaintext or all HTML.
>
> -Devin
> -----Original Message-----
> From: "Robert J. Hansen"
> Sender: gnupg-users-bounces at gnupg.org
> Date: Tue, 19 Jul 2011 22:42:33
> To: Robert Holtzman
> Cc: GnuPG-Users
> Subject: Re: Where are those stubs..
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
I much prefer to send and receive in plain txt. When I started out some 25 years ago it was
the norm and the convention to do so. I ran a BBS (Bullet Board System) and later became an
ISP (Internet Service Provider). Most people that use Microsoft O/S format emails as HTML -
using fancy fonts and so on. A simple "Hello world" is 50Kb in Microsoft-speak yet a mere
5bytes in linux-speak. We - with long memories remember the criminal actions of Microsoft -
which still act the same way as in the past. There's a lot of "politics" as to why people
write plain txt - who use Linux and not the criminally-based Microsoft. A lot of people do
not care if they send out junk emails - their friends can read it and so must the rest of
the world.
I think lists should say "Please send plain txt only."
David
- --
?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.
Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.?
http:/counter.li.org 512854
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBCAAGBQJOJp69AAoJEOJpqm7flRExTG4IAKX86Ombo3H8XT+Odpfx4oRP
RtnKYLf67sA+i2j/hPaKYDP/TIDEuhkZ3nxGdEKFypDgH94Pdr/cczm0Efd+kBRg
kWr1VZX2/O3SDAb7zpgdNQFJWbWiL0Iea2TgTSLEzzjSsuvH98i3tu/i5ml4XxU7
p61NKJxzGDHVI5az9CM6j768DYPG1mlHYtONj9AR3Q4yaNIq1S3q1+AhqBOOsDE9
NZYw/8HeSiLvwOQ1Up+H5Yp0a+HGzAkTq6W7KYxbgQjEttmKl+u2BonxK9ck6U4s
v8LSdCEFavf7O1pKjXpSZ7KXzcdG6/egL57aCgKQp8rwbl4hWMS3VtVAXB8fFCM=
=S0dy
-----END PGP SIGNATURE-----
From richard at r-selected.de Wed Jul 20 12:31:05 2011
From: richard at r-selected.de (Richard)
Date: Wed, 20 Jul 2011 12:31:05 +0200
Subject: Can version 1.4.11 be configured to use IDEA?
In-Reply-To: <83B1D3E9-88C1-4A0D-8F0A-1411C8A9388D@sixdemonbag.org>
References: <4E24902F.5030609@freenet.edmonton.ab.ca>
<4E249FD4.9070603@vulcan.xs4all.nl>
<4E24A976.8030103@freenet.edmonton.ab.ca>
<4E24B00A.4010303@vulcan.xs4all.nl>
<4E24D276.1040306@freenet.edmonton.ab.ca>
<83B1D3E9-88C1-4A0D-8F0A-1411C8A9388D@sixdemonbag.org>
Message-ID:
Hello,
On Tue, Jul 19, 2011 at 03:57, Robert J. Hansen wrote:
> Is there some particular reason why you send messages in an obfuscated format?
how is that working anyway? Apparently GPG automatically decrypted
those messages for me. How were they generated? What is that? :)
Thanks,
Richard
From jerome at jeromebaum.com Wed Jul 20 13:39:53 2011
From: jerome at jeromebaum.com (Jerome Baum)
Date: Wed, 20 Jul 2011 13:39:53 +0200
Subject: Can version 1.4.11 be configured to use IDEA?
In-Reply-To:
References: <4E24902F.5030609@freenet.edmonton.ab.ca>
<4E249FD4.9070603@vulcan.xs4all.nl>
<4E24A976.8030103@freenet.edmonton.ab.ca>
<4E24B00A.4010303@vulcan.xs4all.nl>
<4E24D276.1040306@freenet.edmonton.ab.ca>
<83B1D3E9-88C1-4A0D-8F0A-1411C8A9388D@sixdemonbag.org>
Message-ID:
> how is that working anyway? Apparently GPG automatically decrypted
> those messages for me. How were they generated? What is that? :)
:compressed packet: algo=1
:onepass_sig packet: keyid 1E3B6A9CD77480F6
version 3, sigclass 0x00, digest 2, pubkey 1, last=1
:literal data packet:
mode b (62), created 1311035908, name="gpguser3.txt",
raw data: 1884 bytes
:signature packet: algo 1, keyid 1E3B6A9CD77480F6
version 3, created 1311035908, md5len 5, sigclass 0x00
digest algo 2, begin of digest 1b 52
data: [1019 bits]
Looks like this is what you get from a simple armor command.
--
Jerome Baum
Hessenweg 222
48432 Rheine
GERMANY
tel +49-1578-8434336
email jerome at jeromebaum.com
web www.jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
--
Q: Why is this email five sentences or less?
A: http://five.sentenc.es
From johanw at vulcan.xs4all.nl Wed Jul 20 14:05:24 2011
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Wed, 20 Jul 2011 14:05:24 +0200
Subject: Can version 1.4.11 be configured to use IDEA?
In-Reply-To:
References: <4E24902F.5030609@freenet.edmonton.ab.ca> <4E249FD4.9070603@vulcan.xs4all.nl> <4E24A976.8030103@freenet.edmonton.ab.ca> <4E24B00A.4010303@vulcan.xs4all.nl> <4E24D276.1040306@freenet.edmonton.ab.ca> <83B1D3E9-88C1-4A0D-8F0A-1411C8A9388D@sixdemonbag.org>
Message-ID: <4E26C484.9090009@vulcan.xs4all.nl>
On 20-07-2011 12:31, Richard wrote:
> how is that working anyway? Apparently GPG automatically decrypted
> those messages for me. How were they generated? What is that? :)
They were only signed, but not in plaintext but Base 64 encoded.
--
Met vriendelijke groet,
Johan Wevers
From hlein at korelogic.com Wed Jul 20 02:57:42 2011
From: hlein at korelogic.com (Hank Leininger)
Date: Tue, 19 Jul 2011 20:57:42 -0400
Subject: [PATCH] enable show-session-key on a truncated encrypted file
Message-ID: <20110720005742.GB7769@marklar.spinoli.org>
[ Sent to gnupg-devel a couple of days ago but it never went through;
perhaps -devel is subscriber-only. Apologies if you eventually see it
twice. ]
Here is a patch (quick and dirty) to show a session key for an encrypted
file using --show-session-key even if the encrypted file is truncated.
Consider the following scenario:
- There's a big file encrypted to your key on a machine you don't trust
enough to put your private key on / feed it your passphrase
- You need to have the decrypted version of that file on that machine
(you do trust it enough to have that)
- You have a slow link to that machine; pulling down, decrypting, and
pushing the plaintext version back would be painful
Maybe someone knows a better way to do this, but what I did some years
ago with gpg was basically:
local$ ssh remote head -c1000000 bigfile.pgp > bigfile_fragment.pgp
local$ gpg --show-session-key -o /dev/null --max-output 1 \
bigfile_fragment.pgp 2>&1 | egrep 'session key'
remote$ gpg -d --override-session-key KEYSTRING bigfile.pgp
This fails with current gnupg without the attached patch.
The key here is the ability to do --override-session-key on a fragment
of a .pgp'ed file. The current behavior of gnupg is to error out
because of the broken file prior to checking if opt.show_session_key is
set. This is not "wrong"--but it is not helpful in the above scenario.
The below patch moves up the opt.show_session_key check and prints
the session key if known, even if gnupg is erroring out. Is there any
reason this is a terrible idea *in the case that* you have already
decided to use --show-session-key / --override-session-key?
Thanks,
Hank Leininger
BE5D FCCA 673B D18B 98A9 3175 896E 3D4A 1B4D C5AC
####
diff -urP gnupg-2.0.17/g10/mainproc.c gnupg-2.0.17-showtrunc/g10/mainproc.c
--- gnupg-2.0.17/g10/mainproc.c 2011-01-09 17:06:16.000000000 -0500
+++ gnupg-2.0.17-showtrunc/g10/mainproc.c 2011-07-17 18:29:30.000000000 -0400
@@ -561,6 +561,18 @@
if( !result )
result = decrypt_data( c, pkt->pkt.encrypted, c->dek );
+ /* If told to show the session key, try even on failed operations */
+ if(opt.show_session_key && c->dek != NULL && c->dek->keylen > 0)
+ {
+ int i;
+ char *buf = xmalloc ( c->dek->keylen*2 + 20 );
+ sprintf ( buf, "%d:", c->dek->algo );
+ for(i=0; i < c->dek->keylen; i++ )
+ sprintf(buf+strlen(buf), "%02X", c->dek->key[i] );
+ log_info( "session key: `%s'\n", buf );
+ write_status_text ( STATUS_SESSION_KEY, buf );
+ }
+
if( result == -1 )
;
else if( !result || (gpg_err_code (result) == GPG_ERR_BAD_SIGNATURE
@@ -572,16 +584,6 @@
write_status( STATUS_GOODMDC );
else if(!opt.no_mdc_warn)
log_info (_("WARNING: message was not integrity protected\n"));
- if(opt.show_session_key)
- {
- int i;
- char *buf = xmalloc ( c->dek->keylen*2 + 20 );
- sprintf ( buf, "%d:", c->dek->algo );
- for(i=0; i < c->dek->keylen; i++ )
- sprintf(buf+strlen(buf), "%02X", c->dek->key[i] );
- log_info( "session key: `%s'\n", buf );
- write_status_text ( STATUS_SESSION_KEY, buf );
- }
}
else if( result == G10ERR_BAD_SIGN ) {
log_error(_("WARNING: encrypted message has been manipulated!\n"));
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 447 bytes
Desc: Digital signature
URL:
From gnupg.user at seibercom.net Wed Jul 20 14:37:34 2011
From: gnupg.user at seibercom.net (Jerry)
Date: Wed, 20 Jul 2011 08:37:34 -0400
Subject: Where are those stubs..
In-Reply-To: <4E269EBE.7070805@gbenet.com>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
<20110720012551.GA12759@cox.net>
<021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
<1751996707-1311144374-cardhu_decombobulator_blackberry.rim.net-2040572897-@b1.c27.bise6.blackberry>
<4E269EBE.7070805@gbenet.com>
Message-ID: <20110720083734.6f31882a@scorpio>
On Wed, 20 Jul 2011 10:24:14 +0100
david at gbenet.com articulated:
> I much prefer to send and receive in plain txt. When I started out
> some 25 years ago it was the norm and the convention to do so. I ran
> a BBS (Bullet Board System) and later became an ISP (Internet Service
> Provider). Most people that use Microsoft O/S format emails as HTML -
> using fancy fonts and so on. A simple "Hello world" is 50Kb in
> Microsoft-speak yet a mere 5bytes in linux-speak. We - with long
> memories remember the criminal actions of Microsoft - which still act
> the same way as in the past. There's a lot of "politics" as to why
> people write plain txt - who use Linux and not the criminally-based
> Microsoft. A lot of people do not care if they send out junk emails -
> their friends can read it and so must the rest of the world.
>
> I think lists should say "Please send plain txt only."
I prefer plain ASCII text format myself in most instances. However,
your argument loses traction as soon as you start with this obvious
personal vendetta against Microsoft.
Those of use with long memories remember that the mail objection from
the *.nix/*BSD community was the fact that most native MUA's currently
available at that time were not able to properly handle HTML or MIME
encoded messages. They then preceded to throw up a smoke screen
condemning what they could not handle properly.
By the way, and just out of blatant morbid curiosity, if an
acquaintance, business or personal were to request that you communicate
in HTML format would you do it?
In conclusion, if you receive an HTML message, just delete it. Better
yet, set up filters, configure your MTA if you employ one, or whatever
means needed to remove this problem from your environment. You
obviously have a lot of hatred build up. Elimination of this pseudo
problem before it reaches your viewing screen would be a major step
forward for you.
--
Jerry ?
GNUPG.user at seibercom.net
_____________________________________________________________________
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
From mwood at IUPUI.Edu Wed Jul 20 15:33:58 2011
From: mwood at IUPUI.Edu (Mark H. Wood)
Date: Wed, 20 Jul 2011 09:33:58 -0400
Subject: Yet Another Mail Encoding Thread
In-Reply-To: <1751996707-1311144374-cardhu_decombobulator_blackberry.rim.net-2040572897-@b1.c27.bise6.blackberry>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
<20110720012551.GA12759@cox.net>
<021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
<1751996707-1311144374-cardhu_decombobulator_blackberry.rim.net-2040572897-@b1.c27.bise6.blackberry>
Message-ID: <20110720133358.GA2547@IUPUI.Edu>
[increasingly offtopic rant]
Well, a *proper* MUA would send both text/html and text/plain
bodyparts in a multipart/alternative container, so that a *proper* CUI
MUA could render the important part of the message without all the
markup. But the evidence suggests that many maintainers of
HTML-possessed MUAs still do not read standards. :-P
Some character-cell MUAs will, in desperation, delegate HTML rendering
to a character-cell browser and then display the result. I'm willing
to go the extra mile with messages that can be so treated, if the
actual text is intelligible. Often I find that this yields something
more readable than what the sender thought I would see. But some MUAs
do not even mark their HTML output as HTML, foiling this. :-{
When I open a message and see nothing but a farrago of markup, I
generally throw it away unread. Unless it's an anticipated message
from a known sender, it's too much trouble even to type "v", "m" to
force it through lynx.
Sent from my big clunky desktop using Mutt.
--
Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL:
From david at gbenet.com Wed Jul 20 16:43:06 2011
From: david at gbenet.com (david at gbenet.com)
Date: Wed, 20 Jul 2011 15:43:06 +0100
Subject: Where are those stubs..
In-Reply-To: <20110720083734.6f31882a@scorpio>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu> <20110720012551.GA12759@cox.net> <021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org> <1751996707-1311144374-cardhu_decombobulator_blackberry.rim.net-2040572897-@b1.c27.bise6.blackberry> <4E269EBE.7070805@gbenet.com>
<20110720083734.6f31882a@scorpio>
Message-ID: <4E26E97A.9040806@gbenet.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jerry wrote:
> On Wed, 20 Jul 2011 10:24:14 +0100
> david at gbenet.com articulated:
>
>> I much prefer to send and receive in plain txt. When I started out
>> some 25 years ago it was the norm and the convention to do so. I ran
>> a BBS (Bullet Board System) and later became an ISP (Internet Service
>> Provider). Most people that use Microsoft O/S format emails as HTML -
>> using fancy fonts and so on. A simple "Hello world" is 50Kb in
>> Microsoft-speak yet a mere 5bytes in linux-speak. We - with long
>> memories remember the criminal actions of Microsoft - which still act
>> the same way as in the past. There's a lot of "politics" as to why
>> people write plain txt - who use Linux and not the criminally-based
>> Microsoft. A lot of people do not care if they send out junk emails -
>> their friends can read it and so must the rest of the world.
>>
>> I think lists should say "Please send plain txt only."
>
> I prefer plain ASCII text format myself in most instances. However,
> your argument loses traction as soon as you start with this obvious
> personal vendetta against Microsoft.
>
> Those of use with long memories remember that the mail objection from
> the *.nix/*BSD community was the fact that most native MUA's currently
> available at that time were not able to properly handle HTML or MIME
> encoded messages. They then preceded to throw up a smoke screen
> condemning what they could not handle properly.
>
> By the way, and just out of blatant morbid curiosity, if an
> acquaintance, business or personal were to request that you communicate
> in HTML format would you do it?
>
> In conclusion, if you receive an HTML message, just delete it. Better
> yet, set up filters, configure your MTA if you employ one, or whatever
> means needed to remove this problem from your environment. You
> obviously have a lot of hatred build up. Elimination of this pseudo
> problem before it reaches your viewing screen would be a major step
> forward for you.
>
Hi Jerry,
I don't hate any one for using Microsoft - I even beta-tested Windows 3.11 and Windows 95/98
till I realised that though we filed bug reports Microsoft in Ireland took no notice.
And as an ex-Chairman and ex-Vice President of a US Company we had an ethical trading policy
to which the Microsoft Corporation failed to comply with. They still seem to be facing
problems in the EU.
If I were to suggest that you should support your local bank robber or mugger and give them
every assistance and that all criminals be released - you would suggest that I was mad.
Microsoft does engage in illegal business practices - and are supported by millions every
day with their lock in licences and anti-competitive practices.
I just have a better grasp of business ethics and better grasp in recognising software
freedom - but I don't hate people for their ignorance of Microsoft's bad and illegal
business practices.
Most people have Microsoft on their desktop or laptop without any choice. They do not have
the freedom of choice. Most people like my girlfriend just switch on their laptop or desktop
and use it without any knowledge that there are alternatives.
As some one said "Microsoft gives you Windows - Linux gives you the whole house" that whole
house is for free. Microsoft lock you in - they lock companies in too. They engage in
illegal business practices.
I often find it odd that people when they get to know about Microsoft's illegal business
practices that they continue to have a Microsoft Operating System on the desktop or laptop.
Companies that sell desktops and laptops operate with very small margins - but the licence
that goes to Microsoft is constant about 12 years ago it was a fact that IBM paid Microsoft
a licence fee for every machine it sold - $400 USD. So when desktops or laptops are sold in
a sale there is no reduction of licence fee which remains a constant.
A computer buyer can not go into say PC World and say "I like that HP or Acer, but I will
buy it with or without an operating system or with a Linux distro installed." They have no
choice. Microsoft's business policy is "No choice but Microsoft for the general consumer and
for the business user."
I support freedom of choice - I support ethical business practices. Microsoft Corporation
does not support any ethical principles. It is not a question of "I hate Microsoft." I don't
support unethical or illegal business practices.
I also think that the majority of computer users are in ignorance. But you can Google and
see for yourself the basis of business practice by Microsoft Corporation. Oh and once IBM
had a licence for Windows - IBMers are not told to talk about that.
But once you do know - then you have a choice - continue to support anti-competitive
unethical and illegal business practices of the Microsoft Corporation or if you support
ethical good practice and no criminal activity. Your choice as everyone else's.
As an oldy (63) I prefer plain txt. I don't admonish people for sending me HTML with all
manner of fancy fonts - I just accept it.
David
- --
?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.
Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.?
http:/counter.li.org 512854
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBCAAGBQJOJulsAAoJEOJpqm7flRExjGcH/1P3h431bqDidmqBZRrLIOzz
dxz1DCp3kUCmxjKTWhc8L6gS/xy41899D7FPvGIdNbKULjD5JbtWLnuwQSFIFyJy
3lfdHDQE0GIJ0VWGDJtHI/womTnazf9J1vWzFyOhjJK+HxWjqPHXLKbIRtY1jLi2
ZOrGGwu9bfkzXBFp86yDNGRoO48LOEwt/DlVf7b/yXNeariQLLdsbBSNhytsmh9r
EBlAQTTD2Qv98LzkMX5so+O1vSzhzEmoxLg983e2ItF16At1aWqnNM93rlGbtwH/
ymvdSDB2KpAm7vlHxu6fMw+fYlLpCz9VqJYn5b/E3fhQgNNr+vBB4mjF/ggW4Jk=
=mEGx
-----END PGP SIGNATURE-----
From lists at meumonus.com Wed Jul 20 17:18:37 2011
From: lists at meumonus.com (Devin Fisher)
Date: Wed, 20 Jul 2011 15:18:37 +0000
Subject: Where are those stubs..
In-Reply-To: <4E26E97A.9040806@gbenet.com>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu> <20110720012551.GA12759@cox.net> <021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org> <1751996707-1311144374-cardhu_decombobulator_blackberry.rim.net-2040572897-@b1.c27.bise6.blackberry> <4E269EBE.7070805@gbenet.com><20110720083734.6f31882a@scorpio><4E26E97A.9040806@gbenet.com>
Message-ID: <658423218-1311175119-cardhu_decombobulator_blackberry.rim.net-1462027417-@b1.c27.bise6.blackberry>
Deleted. I may be a newb to this list, but I believe etiquette is to post an OT so that we can skip stuff like this.
Thanks,
-Devin
-----Original Message-----
From: "david at gbenet.com"
Sender: gnupg-users-bounces at gnupg.org
Date: Wed, 20 Jul 2011 15:43:06
To:
Subject: Re: Where are those stubs..
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jerry wrote:
> On Wed, 20 Jul 2011 10:24:14 +0100
> david at gbenet.com articulated:
>
>> I much prefer to send and receive in plain txt. When I started out
>> some 25 years ago it was the norm and the convention to do so. I ran
>> a BBS (Bullet Board System) and later became an ISP (Internet Service
>> Provider). Most people that use Microsoft O/S format emails as HTML -
>> using fancy fonts and so on. A simple "Hello world" is 50Kb in
>> Microsoft-speak yet a mere 5bytes in linux-speak. We - with long
>> memories remember the criminal actions of Microsoft - which still act
>> the same way as in the past. There's a lot of "politics" as to why
>> people write plain txt - who use Linux and not the criminally-based
>> Microsoft. A lot of people do not care if they send out junk emails -
>> their friends can read it and so must the rest of the world.
>>
>> I think lists should say "Please send plain txt only."
>
> I prefer plain ASCII text format myself in most instances. However,
> your argument loses traction as soon as you start with this obvious
> personal vendetta against Microsoft.
>
> Those of use with long memories remember that the mail objection from
> the *.nix/*BSD community was the fact that most native MUA's currently
> available at that time were not able to properly handle HTML or MIME
> encoded messages. They then preceded to throw up a smoke screen
> condemning what they could not handle properly.
>
> By the way, and just out of blatant morbid curiosity, if an
> acquaintance, business or personal were to request that you communicate
> in HTML format would you do it?
>
> In conclusion, if you receive an HTML message, just delete it. Better
> yet, set up filters, configure your MTA if you employ one, or whatever
> means needed to remove this problem from your environment. You
> obviously have a lot of hatred build up. Elimination of this pseudo
> problem before it reaches your viewing screen would be a major step
> forward for you.
>
Hi Jerry,
I don't hate any one for using Microsoft - I even beta-tested Windows 3.11 and Windows 95/98
till I realised that though we filed bug reports Microsoft in Ireland took no notice.
And as an ex-Chairman and ex-Vice President of a US Company we had an ethical trading policy
to which the Microsoft Corporation failed to comply with. They still seem to be facing
problems in the EU.
If I were to suggest that you should support your local bank robber or mugger and give them
every assistance and that all criminals be released - you would suggest that I was mad.
Microsoft does engage in illegal business practices - and are supported by millions every
day with their lock in licences and anti-competitive practices.
I just have a better grasp of business ethics and better grasp in recognising software
freedom - but I don't hate people for their ignorance of Microsoft's bad and illegal
business practices.
Most people have Microsoft on their desktop or laptop without any choice. They do not have
the freedom of choice. Most people like my girlfriend just switch on their laptop or desktop
and use it without any knowledge that there are alternatives.
As some one said "Microsoft gives you Windows - Linux gives you the whole house" that whole
house is for free. Microsoft lock you in - they lock companies in too. They engage in
illegal business practices.
I often find it odd that people when they get to know about Microsoft's illegal business
practices that they continue to have a Microsoft Operating System on the desktop or laptop.
Companies that sell desktops and laptops operate with very small margins - but the licence
that goes to Microsoft is constant about 12 years ago it was a fact that IBM paid Microsoft
a licence fee for every machine it sold - $400 USD. So when desktops or laptops are sold in
a sale there is no reduction of licence fee which remains a constant.
A computer buyer can not go into say PC World and say "I like that HP or Acer, but I will
buy it with or without an operating system or with a Linux distro installed." They have no
choice. Microsoft's business policy is "No choice but Microsoft for the general consumer and
for the business user."
I support freedom of choice - I support ethical business practices. Microsoft Corporation
does not support any ethical principles. It is not a question of "I hate Microsoft." I don't
support unethical or illegal business practices.
I also think that the majority of computer users are in ignorance. But you can Google and
see for yourself the basis of business practice by Microsoft Corporation. Oh and once IBM
had a licence for Windows - IBMers are not told to talk about that.
But once you do know - then you have a choice - continue to support anti-competitive
unethical and illegal business practices of the Microsoft Corporation or if you support
ethical good practice and no criminal activity. Your choice as everyone else's.
As an oldy (63) I prefer plain txt. I don't admonish people for sending me HTML with all
manner of fancy fonts - I just accept it.
David
- --
?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.
Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.?
http:/counter.li.org 512854
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBCAAGBQJOJulsAAoJEOJpqm7flRExjGcH/1P3h431bqDidmqBZRrLIOzz
dxz1DCp3kUCmxjKTWhc8L6gS/xy41899D7FPvGIdNbKULjD5JbtWLnuwQSFIFyJy
3lfdHDQE0GIJ0VWGDJtHI/womTnazf9J1vWzFyOhjJK+HxWjqPHXLKbIRtY1jLi2
ZOrGGwu9bfkzXBFp86yDNGRoO48LOEwt/DlVf7b/yXNeariQLLdsbBSNhytsmh9r
EBlAQTTD2Qv98LzkMX5so+O1vSzhzEmoxLg983e2ItF16At1aWqnNM93rlGbtwH/
ymvdSDB2KpAm7vlHxu6fMw+fYlLpCz9VqJYn5b/E3fhQgNNr+vBB4mjF/ggW4Jk=
=mEGx
-----END PGP SIGNATURE-----
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
From vedaal at nym.hush.com Wed Jul 20 16:38:55 2011
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Wed, 20 Jul 2011 10:38:55 -0400
Subject: secring and dropbox
Message-ID: <20110720143855.DE01B6F446@smtp.hushmail.com>
Kara karadenizi at gmail.com wrote on
Wed Jul 20 02:18:16 CEST 2011 :
>> Is it a bad idea to place your secring in dropbox?
>Using a decent password generator and specifying a mix of upper
and
lower case letters, digits, and special characters, how many total
characters -- as a minimum -- would you recommend such a password
be?
>Any particular password generator program you would recommend?
-----
A simple alternative would be to create a truecrypt container,
allowing truecrypt to generate its own keyfile.
Store the keyfile in a secure, retrievable place (not in the
cloud),
and you can leave the password blank.
To answer your question;
assuming that at some point, the 'cloud' will have resources to
brute force passphrases that might be considered safe 'now', but
still not enough to brute force a 2^256 or even a 2^128 symmetrical
cipher,
then,
symmetrically encrypt any file using either AES, Twofish, or
Camellia,
and then decrypt it with the gnupg option of '--show-session-key'.
Gnupg will display a random 64 character string.
Use the entire string as your passphrase,
(or half of it, if you feel comfortable that the combined sources
of the cloud will not be able to brute-force a 128 bit keyspace in
your lifetime ;-) )
If you find such a string difficult to remember, then consider
Diceware.
http://world.std.com/~reinhold/diceware.html
(afaik, there is no computerized dice generator that will produce
acceptably random results, so you'll need 5 dice.)
The Diceware keyspace is 7776
(6 possibilities for a die throw, 5 throws, 6^5 = 7776).
[ 7776^10 ~= 8.08 x 10^38 ] > [ 2^128 ~= 3.40 x 10^38 ]
[ 7776^20 ~= 6.53 x 10^77 ] > [ 2^256 ~= 1.58 x 10^77 ]
A 10 word Diceware passphrase should be more than enough.
From holtzm at cox.net Wed Jul 20 17:44:43 2011
From: holtzm at cox.net (Robert Holtzman)
Date: Wed, 20 Jul 2011 08:44:43 -0700
Subject: Where are those stubs..
In-Reply-To: <021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
<20110720012551.GA12759@cox.net>
<021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
Message-ID: <20110720154443.GA14161@cox.net>
On Tue, Jul 19, 2011 at 10:42:33PM -0400, Robert J. Hansen wrote:
> > Still with the HTML? This excerpt is from the Fedora mail list but it
> > applies to all lists:
>
> It applies to those lists which have a policy on HTML mail identical to that of the Fedora mailing list. This is not the same as "all lists."
Most lists I've seen discourage it
>
> > Why? HTML is designed for web pages, not emails, and uses a lot more
> > bandwidth.
>
> This is a canard. Given most of the bandwidth is taken up by spam, the tiny fraction that you can save by shifting messages from HTML to raw text is utterly insignificant. It's a rounding error.
>
I'll give you that.
> > Many list members actually block HTML because it is used for
> > malicious code.
>
> By that logic I should block plain text emails, based on how many malicious emails I get in those formats.
And if you're worried enough you wouldn't be online at all. Where do you
want to draw the line?
>
> There are certainly reasons to avoid HTML email, but these reasons don't strike me as especially persuasive.
>
Evidently the originator did and I couldn't agree with him more.
--
Bob Holtzman
If you think you're getting free lunch,
check the price of the beer.
Key ID: 8D549279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
From gnupg.user at seibercom.net Wed Jul 20 17:56:54 2011
From: gnupg.user at seibercom.net (Jerry)
Date: Wed, 20 Jul 2011 11:56:54 -0400
Subject: Where are those stubs..
In-Reply-To: <4E26E97A.9040806@gbenet.com>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
<20110720012551.GA12759@cox.net>
<021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
<1751996707-1311144374-cardhu_decombobulator_blackberry.rim.net-2040572897-@b1.c27.bise6.blackberry>
<4E269EBE.7070805@gbenet.com> <20110720083734.6f31882a@scorpio>
<4E26E97A.9040806@gbenet.com>
Message-ID: <20110720115654.2f82faa3@scorpio>
On Wed, 20 Jul 2011 15:43:06 +0100
david at gbenet.com articulated:
> Hi Jerry,
>
> I don't hate any one for using Microsoft - I even beta-tested Windows
> 3.11 and Windows 95/98 till I realised that though we filed bug
> reports Microsoft in Ireland took no notice.
I don't want to get into a long drawn out discussion on this issue, so
I will make this brief.
Your analogy is faulty. It is comparative to someone saying that that
are not prejudice against blacks because they have one as a friend.
Interestingly enough, a few years ago while doing Beta testing on the
Office Suite, I filed a report on a possible bug/problem. I received a
telephone call two days later asking for more specific details. Perhaps
your submissions were considered PEBKaC anomalies.
> And as an ex-Chairman and ex-Vice President of a US Company we had an
> ethical trading policy to which the Microsoft Corporation failed to
> comply with. They still seem to be facing problems in the EU.
The EU is a group of neo-fascists/socialists backed to a large extend
by Opera. You would have a better chance of getting a fair hearing as a
black man standing trail with a jury of the KKK than a capitalistic
corporation has in front of the EC, or as it has been called, the
USSREC.
> If I were to suggest that you should support your local bank robber
> or mugger and give them every assistance and that all criminals be
> released - you would suggest that I was mad. Microsoft does engage in
> illegal business practices - and are supported by millions every day
> with their lock in licences and anti-competitive practices.
Google is presently under investigation for anti-monopoly laws in the
US. Personally, I have always felt that the anti-monopoly laws in the
US were designed for the robber barons, AKA train & steel and oil
corporation. However, if you are going to use it against on entity, then
you have to apply it uniformly. In any case, your analogy is faulty
since you are comparing business law with criminal law.
> I just have a better grasp of business ethics and better grasp in
> recognising software freedom - but I don't hate people for their
> ignorance of Microsoft's bad and illegal business practices.
Wow, at least, well according to you anyway, you are not an
indiscriminate hater. How thoughtful of you.
> Most people have Microsoft on their desktop or laptop without any
> choice. They do not have the freedom of choice. Most people like my
> girlfriend just switch on their laptop or desktop and use it without
> any knowledge that there are alternatives.
Absolutely, F**ken Bulls**t. You always have a choice. The truth of the
matter is that your girlfriend, or any other individual for that
matter, choose an OS that they can actually just turn on and have it
work without spending days attempting to get simple things like
wireless, printers, etcetera operational. Hell, I use FreeBSD as a
hobbyist OS on two machines and it doesn't even support the wireless
"N" protocol after over 5 years. The list goes on and on. People tend
to use what works best for them. Even more so, they use what works best
in their environment.
> As some one said "Microsoft gives you Windows - Linux gives you the
> whole house" that whole house is for free. Microsoft lock you in -
> they lock companies in too. They engage in illegal business practices.
>
> I often find it odd that people when they get to know about
> Microsoft's illegal business practices that they continue to have a
> Microsoft Operating System on the desktop or laptop. Companies that
> sell desktops and laptops operate with very small margins - but the
> licence that goes to Microsoft is constant about 12 years ago it was
> a fact that IBM paid Microsoft a licence fee for every machine it
> sold - $400 USD. So when desktops or laptops are sold in a sale there
> is no reduction of licence fee which remains a constant.
I need a citation for that. I did a quick search and found nothing
even beginning to approach this $400 mark. In any case, how long has it
been since IBM ceased PC production?
> A computer buyer can not go into say PC World and say "I like that HP
> or Acer, but I will buy it with or without an operating system or
> with a Linux distro installed." They have no choice. Microsoft's
> business policy is "No choice but Microsoft for the general consumer
> and for the business user."
The manufacturer has all ready purchased a license to include the OS
installed. If you don't want it, erase it. How much simpler can it
get. 99% of PC buyers, and the percentage may even be higher, want a PC
with a fully functional OS installed. How many PCs would any store sell
if they came sans OS? I can probably count the number on one hand.
As far a the "Linux" installed, you most certainly can. Do a web
search, but don't use Google. They are under investigation (in more
than one country too).
> I support freedom of choice - I support ethical business practices.
> Microsoft Corporation does not support any ethical principles. It is
> not a question of "I hate Microsoft." I don't support unethical or
> illegal business practices.
I assume for starters that you don't use Google, purchase diamonds, you
wouldn't want to support another monopoly (De Beers), etcetera.
> I also think that the majority of computer users are in ignorance.
> But you can Google and see for yourself the basis of business
> practice by Microsoft Corporation. Oh and once IBM had a licence for
> Windows - IBMers are not told to talk about that.
Now you really need to supply a citation.
> But once you do know - then you have a choice - continue to support
> anti-competitive unethical and illegal business practices of the
> Microsoft Corporation or if you support ethical good practice and no
> criminal activity. Your choice as everyone else's.
What you are really trying to enforce is the concept of socialism. You
don't hate Microsoft, or any other corporation specifically. You are
using this pseudo "business practice" scenario as a smoke screen to
cover up the fact that you are really an anti-capitalist. You want
software to be free. I have no problem with that as long as it does not
deprive an individual of his due compensation. You usually get what you
pay for.
> As an oldy (63) I prefer plain txt. I don't admonish people for
> sending me HTML with all manner of fancy fonts - I just accept it.
If the worst thing anyone ever did was send me an HTML formatted
message, I would be a happy man.
For the record, Microsoft did not invent the HTML(1) format. That is
attributed to physicist Tim Berners-Lee. Guess what, he didn't even work
for Microsoft either.
(1) http://en.wikipedia.org/wiki/HTML
--
Jerry ?
GNUPG.user at seibercom.net
_____________________________________________________________________
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
Famous last words of Davy Crockett:
What are all those gardeners doing here?
From aaron.toponce at gmail.com Wed Jul 20 17:39:16 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Wed, 20 Jul 2011 09:39:16 -0600
Subject: secring and dropbox
In-Reply-To: <8739i1wbjz.fsf@vigenere.g10code.de>
References: <4E261EC8.4060303@gmail.com>
<8739i1wbjz.fsf@vigenere.g10code.de>
Message-ID: <20110720153916.GB7497@poseidon.cocyt.us>
On Wed, Jul 20, 2011 at 11:23:12AM +0200, Werner Koch wrote:
> On Wed, 20 Jul 2011 03:25, rjh at sixdemonbag.org said:
> > I'm presenting the script here in case someone else finds it useful, but really, it's embarrassingly simple.
>
> gpg --gen-random --armor 1 16
>
> Might even be a bit simpler ;-)
Ah, cool. However, as the gpg(1) manual states, --gen-random removes
precious entropy from your system. It might be worth adding to that note,
that regenerating entropy isn't that big of a deal. Something along the
lines of:
$ du / > /dev/null
Should be sufficient, by causing a lot of disk interrupts. Just a thought.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From jerome at jeromebaum.com Wed Jul 20 18:48:30 2011
From: jerome at jeromebaum.com (Jerome Baum)
Date: Wed, 20 Jul 2011 18:48:30 +0200
Subject: secring and dropbox
In-Reply-To: <20110720153916.GB7497@poseidon.cocyt.us>
References: <4E261EC8.4060303@gmail.com>
<8739i1wbjz.fsf@vigenere.g10code.de>
<20110720153916.GB7497@poseidon.cocyt.us>
Message-ID:
> Ah, cool. However, as the gpg(1) manual states, --gen-random removes
> precious entropy from your system.
But that's really the point. If you want strong random data, that data
should have high entropy. But that entropy needs to come from
somewhere -- i.e., your system.
What I'd find more interesting is why you (Werner) chose quality level
1. What do these levels do? Is 2 full entropy, and 0 just urandom?
--
Jerome Baum
Hessenweg 222
48432 Rheine
GERMANY
tel +49-1578-8434336
email jerome at jeromebaum.com
web www.jeromebaum.com
--
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
--
Q: Why is this email five sentences or less?
A: http://five.sentenc.es
From aaron.toponce at gmail.com Wed Jul 20 18:55:35 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Wed, 20 Jul 2011 10:55:35 -0600
Subject: secring and dropbox
In-Reply-To:
References: <4E261EC8.4060303@gmail.com>
<8739i1wbjz.fsf@vigenere.g10code.de>
<20110720153916.GB7497@poseidon.cocyt.us>
Message-ID: <20110720165535.GD7497@poseidon.cocyt.us>
On Wed, Jul 20, 2011 at 06:48:30PM +0200, Jerome Baum wrote:
> > Ah, cool. However, as the gpg(1) manual states, --gen-random removes
> > precious entropy from your system.
>
> But that's really the point. If you want strong random data, that data
> should have high entropy. But that entropy needs to come from
> somewhere -- i.e., your system.
Yes, of course. I'm not arguing that it isn't, but rather the documentation
could be more complete, such as restoring that entropy after exhaustion.
> What I'd find more interesting is why you (Werner) chose quality level
> 1. What do these levels do? Is 2 full entropy, and 0 just urandom?
I'm curious about this as well, which shows that the documentation for this
switch is lacking somewhat. It would be beneficial for everyone who uses
gpg(1) to see some additional help here.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From hka at qbs.com.pl Wed Jul 20 18:57:09 2011
From: hka at qbs.com.pl (Hubert Kario)
Date: Wed, 20 Jul 2011 18:57:09 +0200
Subject: gpgsm and OCSP problems
Message-ID: <201107201857.14041.hka@qbs.com.pl>
Hi all!
I'm not sure if I configure the gnupg package correctly, but when I enable
OCSP I'm unable to validate certificates (gpgsm --with-validation -k)
When I add "enable-ocsp" to gpgsm.conf and "allow-ocsp" to dirmngr.conf I get
either "Unknown system error" or an "End of file error".
Even when the only other configuration variable is "honor-http-proxy" in
dirmngr.conf.
I tried adding CA certificates to ".gnugp/trusted-certs/" and intermediate
certificates together with OCSP responder server to ".gnupg/extra-certs/".
I verified that certificates are loaded by dirmngr, contain OCSP server
addresses and that the servers are queried.
I'm using
gpgsm (GnuPG) 2.0.17
libgcrypt 1.4.6
libksba 1.0.8
Log follows:
gpgsm[23389]: chan_9 -> [ 44 20 30 82 06 34 30 82 04 1c a0 03 02 01 02 02 ...
(982 byte(s) skipped) ]
gpgsm[23389]: chan_9 -> [ 44 20 05 07 02 01 16 22 68 74 74 70 3a 2f 2f 77 ...
(630 byte(s) skipped) ]
gpgsm[23389]: chan_9 -> END
dirmngr[23390]: chan_6 S ONLY_VALID_IF_CERT_VALID
D9DF4E2507CB1A4E76DF761CB5505625E5E23B67
dirmngr[23390.0]: certificate status is: good (this=20110720T120126
next=20110721T123920)
gpgsm[23389]: chan_9 OK
gpgsm[23389]: chan_9
From peter at digitalbrains.com Wed Jul 20 21:48:50 2011
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 20 Jul 2011 21:48:50 +0200
Subject: Where are those stubs..
In-Reply-To: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
Message-ID: <4E273122.9050807@digitalbrains.com>
On 19/07/11 01:20, J. Ottosson wrote:
> Example: I have this newly installed GPG, through GPG4WIN. After having done
> some checking and searching in manuals and on the list, I have come to
> conclusion that entering the command "gpg --card-status" should make the secret
> key stubs appear in the keyring.
>
> I cannot get this to work though.
AFAIK, you need to get the public key imported in GnuPG before you do
--card-status. So you first download your own public key from a keyserver or a
website or a USB stick, you don't get it from the smartcard. Only when GnuPG
already has the public key, will it create the secret key stubs when it sees
your smartcard.
Good luck,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt
From brewhaha at freenet.edmonton.ab.ca Wed Jul 20 23:44:03 2011
From: brewhaha at freenet.edmonton.ab.ca (Jay Litwyn)
Date: Wed, 20 Jul 2011 15:44:03 -0600
Subject: Can version 1.4.11 be configured to use IDEA?
In-Reply-To:
References: <4E24902F.5030609@freenet.edmonton.ab.ca>
<4E249FD4.9070603@vulcan.xs4all.nl>
<4E24A976.8030103@freenet.edmonton.ab.ca>
<4E24B00A.4010303@vulcan.xs4all.nl>
<4E24D276.1040306@freenet.edmonton.ab.ca>
<83B1D3E9-88C1-4A0D-8F0A-1411C8A9388D@sixdemonbag.org>
Message-ID: <4E274C23.6020004@freenet.edmonton.ab.ca>
-----BEGIN PGP SIGNED MESSAGE-----
On 2011-07-20 4:31 AM, Richard wrote:
> Hello,
>
> On Tue, Jul 19, 2011 at 03:57, Robert J. Hansen
> wrote:
>> Is there some particular reason why you send messages in an
>> obfuscated format?
>
> how is that working anyway? Apparently GPG automatically decrypted
> those messages for me. How were they generated? What is that? :)
gpg --sign message.txt
notepad message.txt.asc
Clear message answer.
Cut and paste message.txt.asc into answer of message.
It is a compressed, ascii-armoured, and signed message.
It handles long lines without pgp/mime (which currently
doesn't work for me), and it survives whitespace corruption
such as what you might get from cutting and pasting a
message from an archive. "gpg -sa message.txt" does the
same thing. Notice the omitted Teh that would make it a
- --clearsign .
>
> Thanks,
>
> Richard
>
The soldier who survived mustard gas and
pepper spray is now a seasoned veteran.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQCVAwUBTidMIB47apzXdID2AQGXXgQApO37rCwoMqDBLaEKkItg1a+Jig4kBl3E
84/60lhu1d/txujQ+hm9uqbm1i1eTQ3UIktkgRojr6zB2J32Cdsef74UgK0758di
YUho5JeC6Gq/PFV0KN84RWVyujgbOe9I2GgmISUcVqLrWiCAa0/K2qZ5mGG3feM/
ChdOsRfHSpU=
=ibHH
-----END PGP SIGNATURE-----
From dougb at dougbarton.us Wed Jul 20 23:48:03 2011
From: dougb at dougbarton.us (Doug Barton)
Date: Wed, 20 Jul 2011 14:48:03 -0700
Subject: secring and dropbox
In-Reply-To: <20110720165535.GD7497@poseidon.cocyt.us>
References: <4E261EC8.4060303@gmail.com>
<8739i1wbjz.fsf@vigenere.g10code.de>
<20110720153916.GB7497@poseidon.cocyt.us>
<20110720165535.GD7497@poseidon.cocyt.us>
Message-ID: <4E274D13.80700@dougbarton.us>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 07/20/2011 09:55, Aaron Toponce wrote:
> Yes, of course. I'm not arguing that it isn't, but rather the documentation
> could be more complete, such as restoring that entropy after exhaustion.
Some of us run systems that don't have that issue. :)
- --
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (FreeBSD)
iQEcBAEBCAAGBQJOJ00TAAoJEFzGhvEaGryEqkIIAIuxOZvcvfmULN2Svk1HzAU/
NvpW19TV6lAG8UA2opdYXK+2EGOiaqiL9o1I/xN/vsKXoXi9qDlr+X9fHH/3oPUw
BCJ7xuzcnVuXzrBqxVhl7j9/SWJhjfat5jNt1fMTtnijzKR2oR/d9E/t/ABs/t0e
v6FhQI6BAXFLEvZ3zStwMW4E03ciBOi0SKA1z8l41YbBeTRI8ChCLICg9crdeVH8
Xx4gUubW5z0n/GCgoucIleK0lHs9V08V1NUWhVBplvbTO2G+7SkGo2Y3uZOW83hU
4w/KpvsstF5fLHqYKqbTJpuVuJJKJ37kRNEn0GCqLH31Mne1mOJVenatCH5phLg=
=AHMx
-----END PGP SIGNATURE-----
From jc.cavaille at laposte.net Sat Jul 16 23:26:11 2011
From: jc.cavaille at laposte.net (J2C)
Date: Sat, 16 Jul 2011 21:26:11 +0000 (UTC)
Subject: Fw: compile errors
References: <20101102101232.394e3b1f@arakus>
Message-ID:
I confirme, similar problem on gnupg-2.0.17
From brewhaha at freenet.edmonton.ab.ca Thu Jul 21 00:21:29 2011
From: brewhaha at freenet.edmonton.ab.ca (Jay Litwyn)
Date: Wed, 20 Jul 2011 16:21:29 -0600
Subject: secring and dropbox
In-Reply-To: <20110720153916.GB7497@poseidon.cocyt.us>
References: <4E261EC8.4060303@gmail.com> <8739i1wbjz.fsf@vigenere.g10code.de>
<20110720153916.GB7497@poseidon.cocyt.us>
Message-ID: <4E2754E9.600@freenet.edmonton.ab.ca>
-----BEGIN PGP SIGNED MESSAGE-----
On 2011-07-20 9:39 AM, Aaron Toponce wrote:
> On Wed, Jul 20, 2011 at 11:23:12AM +0200, Werner Koch wrote:
>> On Wed, 20 Jul 2011 03:25, rjh at sixdemonbag.org said:
>>> I'm presenting the script here in case someone else finds
>>> it useful, but really, it's embarrassingly simple.
Never let simple embarass you.
For me, it is key.
For someone else, it might be poetry.
For someone simpler than you, it might be obfuscation. :)
>> gpg --gen-random --armor 1 16
>>
>> Might even be a bit simpler ;-)
>
> Ah, cool. However, as the gpg(1) manual states,
> --gen-random removes precious entropy from your system.
I took that for a joke. Someone should put a ;-) in the doc.
> It might be worth adding to that note,
> that regenerating entropy isn't that big of a deal.
> Something along the
> lines of:
>
> $ du / > /dev/null
>
> Should be sufficient, by causing a lot of disk interrupts.
> Just a thought.
>
> --
> . o . o . o . . o o . . . o .
> . . o . o o o . o . o o . . o
> o o o . o . . o o o o . o o o
Discarded Acronyms: Wake On Packet: WOP.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQCVAwUBTidU5h47apzXdID2AQEDSQP+NnCN5QjVC67P3Z/H+BnWSO57bHkx9zCn
YM8fTJ7walAQAZ0ESfw/fxpKL+9WFertddO6YXOyWMnODIRX8bRf1pvIyFBnJc6C
/vGcVEP4WPZJF+Gf9C16zD4MgT1pp0o94UQgsLcSvISB0KFFv9vQZ/RgEDwzSftg
7aVa6y3Hsu8=
=UwN+
-----END PGP SIGNATURE-----
From brewhaha at freenet.edmonton.ab.ca Thu Jul 21 02:01:23 2011
From: brewhaha at freenet.edmonton.ab.ca (Jay Litwyn)
Date: Wed, 20 Jul 2011 18:01:23 -0600
Subject: secring and dropbox
In-Reply-To: <20110720165535.GD7497@poseidon.cocyt.us>
References: <4E261EC8.4060303@gmail.com> <8739i1wbjz.fsf@vigenere.g10code.de> <20110720153916.GB7497@poseidon.cocyt.us>
<20110720165535.GD7497@poseidon.cocyt.us>
Message-ID: <4E276C53.8000906@freenet.edmonton.ab.ca>
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp
owF9Vl1oHFUUThpb6eJSfa7oKYJJcH8msWmTWFISH9otplaptPVF7s7c3bnJzNzp
vXey2bZo37QIolKhSBUR/KEovvRFxBeh9lUQf6AgaB8VXwTpW/3OnZ20VTAksDv3
3HO+853vfJM36xNj28YfeWrt8k/u/N/jn+/c0b2/n/dbbtMdnUzGn81oNpiZaQb7
m7MBzQSLc3O0vNqgZWF0Rsd1rrNQ0sBoJxfrtSVC/AkZNehIkeBiw18m4SjYt7h3
fvHJ4NgqPRHMBkGDg49Io1NJK6JI76RYWqLluEGh1kmLDuuB3JCmQcKSiyUB2dTM
NKUiK0RSBlsnnLQNajb7MmsakUU6JSNTvSFtGZEbGSpdWJKZMzofUg9laagLQ3Zo
nUxbHMd/tFI41BFu0iKFSJKhr5prlbkWdXp8iQYicz7YIlvWp1HJSDjR8Jf9xzIi
1kUSUSw2JMWqH1cIWluFqic+PJMyQp8azYMWj9Li0yCWRqI/Ui3ZanjgZfYt8Ezm
KSZB93C3MFYC7WRKmXYkTL9QgOmrKfzabNJ5+rvAYAQaNL7LSIdFCjjCKYw29Mi7
klJtJEcDU55IJxtkizDmgRhpnTZbuSt2Rc9JBkhyMxaF5WwjjEt0ggM7kxH1VBb5
1ARqJWfiPMrSIB5yhz566oQ0mTTTFMbaSjqNmSs3pASS8MOnmVaZMdLcAUL8kcX3
g/68Y2mWekWSVOAgJNQNaA24qCgnd3BEIBMWFsYrRXS1HxAAodGBTJIGkCn0jZEO
WFdlz//lradNec8OlEO88sGJCNe5wXKcgsXkaFBR3JWZ7KlQiYSve+og+qHOsFmx
psJKWykf4rBS+jwkokhxTb8JFMskJ1YKyK7XjvI2UTokq/qZcAUYpi4kvU6AFXNz
eT9vpyqVkEJXhhiUpONxkUXSdJWJeBSpjlRvyLCRx8lNV40WKuK0tnpestqhUEBa
DPfu5FbjRKR4zJnQBjWtYIixc/liuy3DrCW6rVC0XwZAkBOLNqLaOU+nlWd9ju3Q
GjiCWGVEM7R3b0BBEFB3iM2nqfkg2NyHr88fWpn27cFGfJ1mppvCQGX3mgN8DBk4
wVJZxIgBlxAJsEYq4i3hNIQBYFCe8ExjgSH3vhFpvQZeemCarU9lJJXfIRzlkAj2
gzvmPFi/ei3XkJqoTr0+RnlHIRCQp9SXdAPdoGoe3MSAnQ/682PAInrZdSpnkZno
JpCgsuuUS4PksMYQYVhf3ivrZYuIAfYNwv1XOi9ibufe61TdhnlIPsBTCDyBS5UF
I98G/JGgUwsJQlwSeo3g90HgBbiMQxcbUAdPAj8pQXSjGtSO5Ea7nEa95jVHq/hm
xDpqKxMKzjOH+YK4hD0W7bJn5UZ3UX+4xdDWrYFQbgQLu5M5WyoPtIrQFd7JR8Ul
r5xDd6R6INIIZWVUr51sVhRFxcjTmIfqbXEP4nptRWNWo5GyP4CmImOHxJ5ZBYYa
YFdkitXrJ5az9qUDo2QTvAlgl5u5yJg77HS9xqKeoZm5hUrU1ZoyjC3lTXtqDxkx
tKFI7joYYegl7PEZdQGvXhsR36LlO4F86gFVejSyl8jQwaX8C6ry2CJTTBZogzic
UXhXgLiKgKxIuxh8OWh4Ab8ZKLeyiHS1ZGVItbbsaiPl+hc9VuB/DWBVR3yNXx2x
Q8FYnAFzbIpcTSXC3GkJKF4a/TCaWDMxghUp2Y4hL25aABG3ApNKc8glSXDvmE4U
5M4qT7T2Do3XEcum9drl+8bGt43t2L6N/w0aq+18sPof6avDE7dPvv0L3fz6ypV3
j37b7l/9bWHHR53Tv168tkffHF794OlTV9yF+asPv3jrr9sT1y5ef+zjYwdWvnv/
1YXXW3tunNt57o0vz17/7Kzb9fPC9gfOvPdQ8db57Tcmxi/c+t1+Ee66dmD3/P7u
peHx+cf3b6698meSP/PpJx8+f+GdP3ZP3X7hm+8vPfpc54cf/wE=
=f4bV
-----END PGP MESSAGE-----
From holtzm at cox.net Thu Jul 21 02:38:21 2011
From: holtzm at cox.net (Robert Holtzman)
Date: Wed, 20 Jul 2011 17:38:21 -0700
Subject: Where are those stubs..
In-Reply-To: <20110720115654.2f82faa3@scorpio>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
<20110720012551.GA12759@cox.net>
<021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
<1751996707-1311144374-cardhu_decombobulator_blackberry.rim.net-2040572897-@b1.c27.bise6.blackberry>
<4E269EBE.7070805@gbenet.com> <20110720083734.6f31882a@scorpio>
<4E26E97A.9040806@gbenet.com> <20110720115654.2f82faa3@scorpio>
Message-ID: <20110721003821.GA15884@cox.net>
On Wed, Jul 20, 2011 at 11:56:54AM -0400, Jerry wrote:
> On Wed, 20 Jul 2011 15:43:06 +0100
> david at gbenet.com articulated:
..........snip........
>
> > Most people have Microsoft on their desktop or laptop without any
> > choice. They do not have the freedom of choice. Most people like my
> > girlfriend just switch on their laptop or desktop and use it without
> > any knowledge that there are alternatives.
>
> Absolutely, F**ken Bulls**t. You always have a choice. The truth of the
> matter is that your girlfriend, or any other individual for that
> matter, choose an OS that they can actually just turn on and have it
> work without spending days attempting to get simple things like
> wireless, printers, etcetera operational. Hell, I use FreeBSD as a
> hobbyist OS on two machines and it doesn't even support the wireless
> "N" protocol after over 5 years. The list goes on and on. People tend
> to use what works best for them. Even more so, they use what works best
> in their environment.
Never worked for a company that dictated what software everyone used,
did you?
..........snip..........
> What you are really trying to enforce is the concept of socialism.
What has preferring to do business with ethical companies got to do with
socialism or any form of government?
> You
> don't hate Microsoft, or any other corporation specifically. You are
> using this pseudo "business practice" scenario as a smoke screen to
> cover up the fact that you are really an anti-capitalist.
I'm surprised you didn't invoke the "Liberal Agenda".
> You want
> software to be free. I have no problem with that as long as it does not
> deprive an individual of his due compensation. You usually get what you
> pay for.
You just alienated the entire FOSS community.
--
Bob Holtzman
If you think you're getting free lunch,
check the price of the beer.
Key ID: 8D549279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
From rjh at sixdemonbag.org Thu Jul 21 03:01:23 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 20 Jul 2011 21:01:23 -0400
Subject: Where are those stubs..
In-Reply-To: <20110721003821.GA15884@cox.net>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
<20110720012551.GA12759@cox.net>
<021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
<1751996707-1311144374-cardhu_decombobulator_blackberry.rim.net-2040572897-@b1.c27.bise6.blackberry>
<4E269EBE.7070805@gbenet.com> <20110720083734.6f31882a@scorpio>
<4E26E97A.9040806@gbenet.com> <20110720115654.2f82faa3@scorpio>
<20110721003821.GA15884@cox.net>
Message-ID:
> You just alienated the entire FOSS community.
Please don't claim to speak for the entire FOSS community. You don't. No one does: not even RMS, Linus or Jordan Hubbard.
Further, a lot of people within the FOSS community are not opposed to proprietary software: for instance, the BSDs. The community has a great deal more diversity of opinion than you think. Please respect those who hold differing views. Wasting time in fratricidal sniping does no one any good.
Finally, please take this entire thread elsewhere. This kind of flamefest is off-topic.
From brewhaha at freenet.edmonton.ab.ca Thu Jul 21 03:30:16 2011
From: brewhaha at freenet.edmonton.ab.ca (Jay Litwyn)
Date: Wed, 20 Jul 2011 19:30:16 -0600
Subject: Where are those stubs..
In-Reply-To: <20110721003821.GA15884@cox.net>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu> <20110720012551.GA12759@cox.net> <021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org> <1751996707-1311144374-cardhu_decombobulator_blackberry.rim.net-2040572897-@b1.c27.bise6.blackberry> <4E269EBE.7070805@gbenet.com>
<20110720083734.6f31882a@scorpio> <4E26E97A.9040806@gbenet.com>
<20110720115654.2f82faa3@scorpio> <20110721003821.GA15884@cox.net>
Message-ID: <4E278128.1010806@freenet.edmonton.ab.ca>
On 2011-07-20 6:38 PM, Robert Holtzman wrote:
> On Wed, Jul 20, 2011 at 11:56:54AM -0400, Jerry wrote:
>> On Wed, 20 Jul 2011 15:43:06 +0100
>> david at gbenet.com articulated:
> ..........snip........
>>> Most people have Microsoft on their desktop or laptop without any
>>> choice. They do not have the freedom of choice. Most people like my
>>> girlfriend just switch on their laptop or desktop and use it without
>>> any knowledge that there are alternatives.
>> Absolutely, F**ken Bulls**t. You always have a choice. The truth of the
>> matter is that your girlfriend, or any other individual for that
>> matter, choose an OS that they can actually just turn on and have it
>> work without spending days attempting to get simple things like
>> wireless, printers, etcetera operational. Hell, I use FreeBSD as a
>> hobbyist OS on two machines and it doesn't even support the wireless
>> "N" protocol after over 5 years. The list goes on and on. People tend
>> to use what works best for them. Even more so, they use what works best
>> in their environment.
> Never worked for a company that dictated what software everyone used,
> did you?
>
> ..........snip..........
>
>> What you are really trying to enforce is the concept of socialism.
> What has preferring to do business with ethical companies got to do with
> socialism or any form of government?
>
>> You
>> don't hate Microsoft, or any other corporation specifically. You are
>> using this pseudo "business practice" scenario as a smoke screen to
>> cover up the fact that you are really an anti-capitalist.
> I'm surprised you didn't invoke the "Liberal Agenda".
>
>> You want
>> software to be free. I have no problem with that as long as it does not
>> deprive an individual of his due compensation. You usually get what you
>> pay for.
> You just alienated the entire FOSS community.
>
>
Time, trouble, or tickets; you'll get what's paid for.
http://ecn.ab.ca/~brewhaha/Sound/Desserts.mp3
(It's not finished. Vocals in it are straight a-cappella.)
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
From richard at r-selected.de Thu Jul 21 08:26:58 2011
From: richard at r-selected.de (Richard)
Date: Thu, 21 Jul 2011 08:26:58 +0200
Subject: Can version 1.4.11 be configured to use IDEA?
In-Reply-To: <4E274C23.6020004@freenet.edmonton.ab.ca>
References: <4E24902F.5030609@freenet.edmonton.ab.ca>
<4E249FD4.9070603@vulcan.xs4all.nl>
<4E24A976.8030103@freenet.edmonton.ab.ca>
<4E24B00A.4010303@vulcan.xs4all.nl>
<4E24D276.1040306@freenet.edmonton.ab.ca>
<83B1D3E9-88C1-4A0D-8F0A-1411C8A9388D@sixdemonbag.org>
<4E274C23.6020004@freenet.edmonton.ab.ca>
Message-ID:
All right, thanks! :)
From wk at gnupg.org Thu Jul 21 10:46:08 2011
From: wk at gnupg.org (Werner Koch)
Date: Thu, 21 Jul 2011 10:46:08 +0200
Subject: gpgsm and OCSP problems
In-Reply-To: <201107201857.14041.hka@qbs.com.pl> (Hubert Kario's message of
"Wed, 20 Jul 2011 18:57:09 +0200")
References: <201107201857.14041.hka@qbs.com.pl>
Message-ID: <87livsuilr.fsf@vigenere.g10code.de>
Hi,
can you please try the attached patch for GnuPG? I checked that it
applies against a vanilla 2.0.17 but I have not done any tests.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: x
Type: application/octet-stream
Size: 8563 bytes
Desc: not available
URL:
From wk at gnupg.org Thu Jul 21 14:58:19 2011
From: wk at gnupg.org (Werner Koch)
Date: Thu, 21 Jul 2011 14:58:19 +0200
Subject: Where are those stubs..
In-Reply-To: <4E273122.9050807@digitalbrains.com> (Peter Lebbing's message of
"Wed, 20 Jul 2011 21:48:50 +0200")
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
<4E273122.9050807@digitalbrains.com>
Message-ID: <87vcuvu6xg.fsf@vigenere.g10code.de>
On Wed, 20 Jul 2011 21:48, peter at digitalbrains.com said:
> AFAIK, you need to get the public key imported in GnuPG before you do
> --card-status. So you first download your own public key from a keyserver or a
> website or a USB stick, you don't get it from the smartcard. Only when GnuPG
> already has the public key, will it create the secret key stubs when it sees
> your smartcard.
Right. This is also the reason why we have the URL field on the card.
For example on my card:
URL of public key : finger:wk at g10code.com
Now if I run "gpg --card-edit" I just need to enter "fetch" and gpg will
fetch the key from that URL.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
From lists at chrispoole.com Thu Jul 21 15:51:42 2011
From: lists at chrispoole.com (Chris Poole)
Date: Thu, 21 Jul 2011 14:51:42 +0100
Subject: gpg-agent automatically use passphrase for signing subkey?
Message-ID:
Hi
I have a program which encrypts and signs files; I supply the same key
ID for both operations, the 'primary ID'.
My key actually consists of the main key and two subkeys, for
encryption and signing.
I'm using gpg-agent to cache my passphrase.
I get asked for my passphrase (pinentry screen) once for the
encryption key, and then again, for the signing key.
Can I instruct the agent to give the passphrase for any subkey? Given
that they're both subkeys, the passphrases are the same.
Thanks
Chris Poole
[PGP BAD246F9]
From aaron.toponce at gmail.com Thu Jul 21 16:20:09 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Thu, 21 Jul 2011 08:20:09 -0600
Subject: secring and dropbox
In-Reply-To: <4E276C53.8000906@freenet.edmonton.ab.ca>
References: <4E261EC8.4060303@gmail.com>
<8739i1wbjz.fsf@vigenere.g10code.de>
<20110720153916.GB7497@poseidon.cocyt.us>
<20110720165535.GD7497@poseidon.cocyt.us>
<4E276C53.8000906@freenet.edmonton.ab.ca>
Message-ID: <20110721142009.GG7497@poseidon.cocyt.us>
On Wed, Jul 20, 2011 at 06:01:23PM -0600, Jay Litwyn wrote:
> -----BEGIN PGP MESSAGE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp
>
> owF9Vl1oHFUUThpb6eJSfa7oKYJJcH8msWmTWFISH9otplaptPVF7s7c3bnJzNzp
> vXey2bZo37QIolKhSBUR/KEovvRFxBeh9lUQf6AgaB8VXwTpW/3OnZ20VTAksDv3
> 3HO+853vfJM36xNj28YfeWrt8k/u/N/jn+/c0b2/n/dbbtMdnUzGn81oNpiZaQb7
> m7MBzQSLc3O0vNqgZWF0Rsd1rrNQ0sBoJxfrtSVC/AkZNehIkeBiw18m4SjYt7h3
[snip]
Am I the only one who can't decrypt this message? Is there something I'm
missing?
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From ben at adversary.org Thu Jul 21 16:34:39 2011
From: ben at adversary.org (Ben McGinnes)
Date: Fri, 22 Jul 2011 00:34:39 +1000
Subject: secring and dropbox
In-Reply-To: <20110721142009.GG7497@poseidon.cocyt.us>
References: <4E261EC8.4060303@gmail.com>
<8739i1wbjz.fsf@vigenere.g10code.de>
<20110720153916.GB7497@poseidon.cocyt.us>
<20110720165535.GD7497@poseidon.cocyt.us>
<4E276C53.8000906@freenet.edmonton.ab.ca>
<20110721142009.GG7497@poseidon.cocyt.us>
Message-ID: <4E2838FF.7070303@adversary.org>
On 22/07/11 12:20 AM, Aaron Toponce wrote:
> On Wed, Jul 20, 2011 at 06:01:23PM -0600, Jay Litwyn wrote:
>> -----BEGIN PGP MESSAGE-----
>> Version: GnuPG v2.0.17 (MingW32)
>> Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp
>>
>> owF9Vl1oHFUUThpb6eJSfa7oKYJJcH8msWmTWFISH9otplaptPVF7s7c3bnJzNzp
>> vXey2bZo37QIolKhSBUR/KEovvRFxBeh9lUQf6AgaB8VXwTpW/3OnZ20VTAksDv3
>> 3HO+853vfJM36xNj28YfeWrt8k/u/N/jn+/c0b2/n/dbbtMdnUzGn81oNpiZaQb7
>> m7MBzQSLc3O0vNqgZWF0Rsd1rrNQ0sBoJxfrtSVC/AkZNehIkeBiw18m4SjYt7h3
> [snip]
>
> Am I the only one who can't decrypt this message? Is there something
> I'm missing?
It wasn't encrypted, it was signed and base64 encoded (gpg -sa). That
said, you're almost certainly not the only one who couldn't read it
(for the record, I could).
Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL:
From shavital at mac.com Thu Jul 21 16:42:23 2011
From: shavital at mac.com (Charly Avital)
Date: Thu, 21 Jul 2011 10:42:23 -0400
Subject: gpg-agent automatically use passphrase for signing subkey?
In-Reply-To:
References:
Message-ID: <4E283ACF.1020600@mac.com>
Chris Poole
wrote on 7/21/11 2:51:42 PM:
> Hi
>
> I have a program
Which version of GnuPG are you running, and where did you download it
from, please? Just for information.
which encrypts and signs files; I supply the same key
> ID for both operations, the 'primary ID'.
>
> My key actually consists of the main key and two subkeys, for
> encryption and signing.
This is the information pertaining to the key whose key ID is mentioned
in your e-mail:
pub 1024D/BAD246F9 created: 2006-03-31 expires: never usage: SC
trust: unknown validity: unknown
sub 2048D/7ED39759 created: 2010-12-11 expires: never usage: S
sub 4096g/E71D7B3E created: 2006-03-31 expires: never usage: E
[ unknown] (1). Chris Poole
[ unknown] (2) Chris Poole
> I'm using gpg-agent to cache my passphrase.
>
> I get asked for my passphrase (pinentry screen) once for the
> encryption key, and then again, for the signing key.
You are asked for your passphrase once for *decrypting* an e-mail that
has been encrypted using your public key; and then once again to sign an
e-mail. In other words, when you need to use your secret key.
> Can I instruct the agent to give the passphrase for any subkey? Given
> that they're both subkeys, the passphrases are the same.
gpg-agent *caches* your passphrase (in encrypted form) for each of the
two operations described above.
The passphrase remains cached (you are not requested to type it again)
for the value in seconds set in ~/.gnupg/gpg-agent.conf - You can edit
that file (gpg-agent.conf) with a suitable text editor (like TextEdit
that is a part of MacOSX, or with BBEdit light (freeware).
Best regards,
Charly
OSX 10.7 (11A511) MacBook Intel C2Duo 2GHz-GnuPG 1.4.11-MacGPG2-2.0.17
Shredder 8.0a1 (2011-07-21) Enigmail 1.3a1pre (20110717-1422)
From lists at chrispoole.com Thu Jul 21 17:40:17 2011
From: lists at chrispoole.com (Chris Poole)
Date: Thu, 21 Jul 2011 16:40:17 +0100
Subject: gpg-agent automatically use passphrase for signing subkey?
In-Reply-To: <4E283ACF.1020600@mac.com>
References:
<4E283ACF.1020600@mac.com>
Message-ID:
Perhaps I explained poorly.
I'm using gpg 1.4.11, gpg-agent 2.0.17.
Is it possible to enter a passphrase using gpg-agent, and have it cached such
that it's used whenever I want to use any subkeys from the same main key?
Scenario:
I sign a file with my signing subkey, and give gpg-agent my passphrase.
I then decrypt another file, which has been encrypted using my encryption key,
which is a sister subkey to the signing key (i.e., they both have the same
parent 'main key'). Is it possible to not be prompted for my passphrase again
for this operation?
I understand that they're separate keys, so I'm being prompted twice, but they
are both belonging to the same primary key: can that passphrase apply to all
subkeys when entered for any one?
I hope that clarifies what I want to do...
Cheers
Chris Poole
[PGP BAD246F9]
From j-001 at ottosson.nu Thu Jul 21 17:55:48 2011
From: j-001 at ottosson.nu (J. Ottosson)
Date: Thu, 21 Jul 2011 17:55:48 +0200
Subject: Where are those stubs..
In-Reply-To: <87vcuvu6xg.fsf@vigenere.g10code.de>
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>,
<4E273122.9050807@digitalbrains.com> (Peter Lebbing's message of
"Wed, 20 Jul 2011 21:48:50 +0200"),
<87vcuvu6xg.fsf@vigenere.g10code.de>
Message-ID: <4E284C04.17097.62647E@j-001.ottosson.nu>
On 21 Jul 2011 at 14:58, Werner Koch wrote:
> On Wed, 20 Jul 2011 21:48, peter at digitalbrains.com said:
>
> > AFAIK, you need to get the public key imported in GnuPG before you do
> > --card-status. So you first download your own public key from a
> > keyserver or a website or a USB stick, you don't get it from the
> > smartcard. Only when GnuPG already has the public key, will it create
> > the secret key stubs when it sees your smartcard.
>
> Right. This is also the reason why we have the URL field on the card. For
> example on my card:
>
> URL of public key : finger:wk at g10code.com
>
> Now if I run "gpg --card-edit" I just need to enter "fetch" and gpg will
> fetch the key from that URL.
Thank you both for that piece of info, it was the missing information I think.
In a real world scenario this wouldn't be an issue (and hardly noticed) but in
this case I was testing this specifically and only, and didn't see any notice of
the pubkey having to be imported first; I'm unsure if those pieces of
information have been put together earlier in the replies I've read.
Thanks.
/J
>
>
> Salam-Shalom,
>
> Werner
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>
From shavital at mac.com Thu Jul 21 18:30:27 2011
From: shavital at mac.com (Charly Avital)
Date: Thu, 21 Jul 2011 12:30:27 -0400
Subject: gpg-agent automatically use passphrase for signing subkey?
In-Reply-To:
References:
<4E283ACF.1020600@mac.com>
Message-ID: <4E285423.60702@mac.com>
Chris Poole
wrote on 7/21/11 4:40:17 PM:
> Perhaps I explained poorly.
You explained very clearly.
> I'm using gpg 1.4.11, gpg-agent 2.0.17.
You can have, as I do, both 1.4.11 and 2.0.17 installed side by side in
the same system.
You can use either one, as set in the path of your e=mail application.
You are using a @gmail.com based user ID, and the raw source of your
e-mail does not display which MUA you are using.
I am using Shredder, which is a trunk release of Thunderbird, where the
path, as displayed in OpenPGP/Preferences, is
/usr/local/MacGPG2/bin/gpg2. Thus I am using gpg2, in this case
MacGPG2-2.0.17-9
If instead I had set /usr/local/MacGPG2/bin/gpg , I would be using gpg,
that would be gpg 1.4.11
If you are using Apple's Mail application (under 10.6.8), it will chose
gpg2 by default. Under Lion, the Mailbundle for Apple's Mail application
does not work, it is being rewritten by a group of developers.
>
> Is it possible to enter a passphrase using gpg-agent, and have it cached such
> that it's used whenever I want to use any subkeys from the same main key?
>
> Scenario:
>
> I sign a file with my signing subkey, and give gpg-agent my passphrase.
>
> I then decrypt another file, which has been encrypted using my encryption key,
> which is a sister subkey to the signing key (i.e., they both have the same
> parent 'main key'). Is it possible to not be prompted for my passphrase again
> for this operation?
>
> I understand that they're separate keys, so I'm being prompted twice, but they
> are both belonging to the same primary key: can that passphrase apply to all
> subkeys when entered for any one?
>
> I hope that clarifies what I want to do...
Maybe *I* wasn't clear enough.
gpg-agent "goes" by *actions*: decrypt, or sign.
gpg-agent is invoked whenever you use your secret key, either for
decrypting or for signing.
As far as gpg-agent is concerned, those are two different *actions*.
When your passphrase has been cached for each of those *actions*, it
will remain in gpg-agent's "memory" for the duration of the cache set in
your home directory ~/.gnupg/gpg-agent.conf
Charly
From email at sven-radde.de Thu Jul 21 17:30:43 2011
From: email at sven-radde.de (Sven Radde)
Date: Thu, 21 Jul 2011 17:30:43 +0200
Subject: secring and dropbox
In-Reply-To: <20110721142009.GG7497@poseidon.cocyt.us>
References: <4E261EC8.4060303@gmail.com>
<8739i1wbjz.fsf@vigenere.g10code.de>
<20110720153916.GB7497@poseidon.cocyt.us>
<20110720165535.GD7497@poseidon.cocyt.us>
<4E276C53.8000906@freenet.edmonton.ab.ca>
<20110721142009.GG7497@poseidon.cocyt.us>
Message-ID: <4E284623.10500@sven-radde.de>
Hi!
Am 20:59, schrieb Aaron Toponce:
> [snip]
>
> Am I the only one who can't decrypt this message? Is there something I'm
> missing?
I *could* decode it, but since I'm reading the list in "digest" and
"MIME" mode (i.e., I get one combined email for every 10 postings and
each posting is a separate MIME attachment), I would have to
specifically open such a particular mail attachment and hit
"decrypt/verify" in Enigmail.
I don't do that.
cu, Sven
From holtzm at cox.net Thu Jul 21 20:28:58 2011
From: holtzm at cox.net (Robert Holtzman)
Date: Thu, 21 Jul 2011 11:28:58 -0700
Subject: Where are those stubs..
In-Reply-To:
References: <4E24BFB5.12687.D8DB985@j-001.ottosson.nu>
<20110720012551.GA12759@cox.net>
<021FAABD-8CEC-4B5F-AD5D-665E31EFACFF@sixdemonbag.org>
<1751996707-1311144374-cardhu_decombobulator_blackberry.rim.net-2040572897-@b1.c27.bise6.blackberry>
<4E269EBE.7070805@gbenet.com> <20110720083734.6f31882a@scorpio>
<4E26E97A.9040806@gbenet.com> <20110720115654.2f82faa3@scorpio>
<20110721003821.GA15884@cox.net>
Message-ID: <20110721182858.GA17739@cox.net>
On Wed, Jul 20, 2011 at 09:01:23PM -0400, Robert J. Hansen wrote:
> > You just alienated the entire FOSS community.
>
> Please don't claim to speak for the entire FOSS community. You don't. No one does: not even RMS, Linus or Jordan Hubbard.
I don't presume to. It was a deliberate exaggeration and I'm not going
to get into a pissing match about methods of expression.
--
Bob Holtzman
If you think you're getting free lunch,
check the price of the beer.
Key ID: 8D549279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
From aaron.toponce at gmail.com Fri Jul 22 01:17:27 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Thu, 21 Jul 2011 17:17:27 -0600
Subject: secring and dropbox
In-Reply-To: <20110721231525.GH7497@poseidon.cocyt.us>
References: <4E261EC8.4060303@gmail.com>
<8739i1wbjz.fsf@vigenere.g10code.de>
<20110720153916.GB7497@poseidon.cocyt.us>
<20110720165535.GD7497@poseidon.cocyt.us>
<4E276C53.8000906@freenet.edmonton.ab.ca>
<20110721142009.GG7497@poseidon.cocyt.us>
<4E2838FF.7070303@adversary.org>
<20110721231525.GH7497@poseidon.cocyt.us>
Message-ID: <20110721231727.GI7497@poseidon.cocyt.us>
On Thu, Jul 21, 2011 at 05:15:25PM -0600, Aaron Toponce wrote:
> So, it appears I'm missing some configuration in Mutt then, as it remains
> as the PGP message without any attempt to get to the plain text. Also, how
> do you get the plain text? I can verify the signature, but can't seem to
> get the text out of the signature.
Nevermind. I can do it manually, but I'm not sure what I'm missing with
Mutt. Any Mutt users here that can help me out?
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From aaron.toponce at gmail.com Fri Jul 22 01:15:25 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Thu, 21 Jul 2011 17:15:25 -0600
Subject: secring and dropbox
In-Reply-To: <4E2838FF.7070303@adversary.org>
References: <4E261EC8.4060303@gmail.com>
<8739i1wbjz.fsf@vigenere.g10code.de>
<20110720153916.GB7497@poseidon.cocyt.us>
<20110720165535.GD7497@poseidon.cocyt.us>
<4E276C53.8000906@freenet.edmonton.ab.ca>
<20110721142009.GG7497@poseidon.cocyt.us>
<4E2838FF.7070303@adversary.org>
Message-ID: <20110721231525.GH7497@poseidon.cocyt.us>
On Fri, Jul 22, 2011 at 12:34:39AM +1000, Ben McGinnes wrote:
> On 22/07/11 12:20 AM, Aaron Toponce wrote:
> > On Wed, Jul 20, 2011 at 06:01:23PM -0600, Jay Litwyn wrote:
> >> -----BEGIN PGP MESSAGE-----
> >> Version: GnuPG v2.0.17 (MingW32)
> >> Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp
> >>
> >> owF9Vl1oHFUUThpb6eJSfa7oKYJJcH8msWmTWFISH9otplaptPVF7s7c3bnJzNzp
> >> vXey2bZo37QIolKhSBUR/KEovvRFxBeh9lUQf6AgaB8VXwTpW/3OnZ20VTAksDv3
> >> 3HO+853vfJM36xNj28YfeWrt8k/u/N/jn+/c0b2/n/dbbtMdnUzGn81oNpiZaQb7
> >> m7MBzQSLc3O0vNqgZWF0Rsd1rrNQ0sBoJxfrtSVC/AkZNehIkeBiw18m4SjYt7h3
> > [snip]
> >
> > Am I the only one who can't decrypt this message? Is there something
> > I'm missing?
>
> It wasn't encrypted, it was signed and base64 encoded (gpg -sa). That
> said, you're almost certainly not the only one who couldn't read it
> (for the record, I could).
So, it appears I'm missing some configuration in Mutt then, as it remains
as the PGP message without any attempt to get to the plain text. Also, how
do you get the plain text? I can verify the signature, but can't seem to
get the text out of the signature.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From remco at webconquest.com Fri Jul 22 08:08:27 2011
From: remco at webconquest.com (Remco Rijnders)
Date: Fri, 22 Jul 2011 08:08:27 +0200
Subject: secring and dropbox
In-Reply-To: <20110721231727.GI7497@poseidon.cocyt.us>
References:
<8739i1wbjz.fsf@vigenere.g10code.de>
<20110720153916.GB7497@poseidon.cocyt.us>
<20110720165535.GD7497@poseidon.cocyt.us>
<4E276C53.8000906@freenet.edmonton.ab.ca>
<20110721142009.GG7497@poseidon.cocyt.us>
<4E2838FF.7070303@adversary.org>
<20110721231525.GH7497@poseidon.cocyt.us>
<20110721231727.GI7497@poseidon.cocyt.us>
Message-ID:
On Thu, Jul 21, 2011 at 05:17:27PM -0600, Aaron Toponce wrote:
>On Thu, Jul 21, 2011 at 05:15:25PM -0600, Aaron Toponce wrote:
>> So, it appears I'm missing some configuration in Mutt then, as it remains
>> as the PGP message without any attempt to get to the plain text. Also, how
>> do you get the plain text? I can verify the signature, but can't seem to
>> get the text out of the signature.
>
>Nevermind. I can do it manually, but I'm not sure what I'm missing with
>Mutt. Any Mutt users here that can help me out?
Hi Aaron,
For me, the following does the trick:
When viewing the message enter P
It will prompt you for a password, just hit enter.
These two steps made the message readable for me in mutt.
Cheers,
Remco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL:
From aaron.toponce at gmail.com Fri Jul 22 08:34:59 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Fri, 22 Jul 2011 00:34:59 -0600
Subject: secring and dropbox
In-Reply-To: <4E276C53.8000906@freenet.edmonton.ab.ca>
References: <4E261EC8.4060303@gmail.com>
<8739i1wbjz.fsf@vigenere.g10code.de>
<20110720153916.GB7497@poseidon.cocyt.us>
<20110720165535.GD7497@poseidon.cocyt.us>
<4E276C53.8000906@freenet.edmonton.ab.ca>
Message-ID: <20110722063459.GA15201@poseidon.cocyt.us>
On Wed, Jul 20, 2011 at 06:01:23PM -0600, Jay Litwyn wrote:
> Note: my signatures break without pgp/mime,
> because Thunderbird is modifying my text after
> it signs my text, and I can't use pgp/mime,
> so I am using gpg -sa
I have used Thunderbird with GnuPG extensively on Windows, Mac OS X and
GNU/Linux, without problem. I prefer PGP/MIME for my signatures, and have
never had that problem. So, I'm guessing that you have something going on
with your installation that is not standard.
Also, it appears your wrapping your lines at 50 characters. Why so short? I
can understand 72, so it gives room for nested replies four-deep up to 80
characters, but 50 seems really short. Just curious.
> http://ecn.ab.ca/~brewhaha/gpg/prand.png
>
> I jenerated 1 440 000 bytes (800x600 RGB) with:
> gpg --no-armor --gen-random 0 1440000 >prand.raw
> I also did it with one. I see no histogram
> difference in either graphic, so I did not
> post a graphic for one. I did not do
> it with two, because gpg was telling me
> that I should enable disk performance
> counters, while windows was telling me that
> disk performance counters are permanently
> enabled for all versions beyond 2000.
>
> All three of them outperform /dev/random
> under Mandrake circa 2005 by a long shot,
> probably because Mandrake waited for events,
> so it actually performed better if I raised
> X-windows during the copy from /dev/random
>
> Both graphics were uncompressible, meaning
> that png gets a slight expansion to
> 1 441 159 bytes (without the histogram).
>
> Grayscale histograms were flat in both
> of them. A histogram in that graphic reflects
> high quality uniformly distributed random
> numbers.
>
> A simple pseudo-random number jenerator
> that I wrote on
> http://ecn.ab.ca/~brewhaha/Moderation.htm
> haz a very similar histogram.
Interesting. Additional comment from Werner, or others, on your findings
would be welcomed on my end.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From lists at chrispoole.com Fri Jul 22 11:38:39 2011
From: lists at chrispoole.com (Chris Poole)
Date: Fri, 22 Jul 2011 10:38:39 +0100
Subject: gpg-agent automatically use passphrase for signing subkey?
In-Reply-To: <4E285423.60702@mac.com>
References:
<4E283ACF.1020600@mac.com>
<4E285423.60702@mac.com>
Message-ID:
On Thu, Jul 21, 2011 at 5:30 PM, Charly Avital wrote:
> gpg-agent "goes" by *actions*: ?decrypt, or sign.
>
> gpg-agent is invoked whenever you use your secret key, either for
> decrypting or for signing.
>
> As far as gpg-agent is concerned, those are two different *actions*.
>
> When your passphrase has been cached for each of those *actions*, it
> will remain in gpg-agent's "memory" for the duration of the cache set in
> your home directory ~/.gnupg/gpg-agent.conf
That's a shame, but thanks.
Cheers
Chris Poole
[PGP BAD246F9]
From shavital at mac.com Fri Jul 22 12:57:31 2011
From: shavital at mac.com (Charly Avital)
Date: Fri, 22 Jul 2011 06:57:31 -0400
Subject: gpg-agent automatically use passphrase for signing subkey?
In-Reply-To:
References:
<4E283ACF.1020600@mac.com>
<4E285423.60702@mac.com>
Message-ID: <4E29579B.2090401@mac.com>
Chris Poole
wrote on 7/22/11 10:38:39 AM:
> On Thu, Jul 21, 2011 at 5:30 PM, Charly Avital wrote:
>> When your passphrase has been cached for each of those *actions*, it
>> will remain in gpg-agent's "memory" for the duration of the cache set in
>> your home directory ~/.gnupg/gpg-agent.conf
>
> That's a shame, but thanks.
Shame?
I find it very convenient.
Take care and have a fine week end.
Charly
From lists at michel-messerschmidt.de Fri Jul 22 21:37:09 2011
From: lists at michel-messerschmidt.de (Michel Messerschmidt)
Date: Fri, 22 Jul 2011 21:37:09 +0200
Subject: secring and dropbox
In-Reply-To: <20110721231727.GI7497@poseidon.cocyt.us>
References:
<8739i1wbjz.fsf@vigenere.g10code.de>
<20110720153916.GB7497@poseidon.cocyt.us>
<20110720165535.GD7497@poseidon.cocyt.us>
<4E276C53.8000906@freenet.edmonton.ab.ca>
<20110721142009.GG7497@poseidon.cocyt.us>
<4E2838FF.7070303@adversary.org>
<20110721231525.GH7497@poseidon.cocyt.us>
<20110721231727.GI7497@poseidon.cocyt.us>
Message-ID: <20110722193709.GA5656@hiro.matrix>
On Thu, Jul 21, 2011 at 05:17:27PM -0600, Aaron Toponce wrote:
> On Thu, Jul 21, 2011 at 05:15:25PM -0600, Aaron Toponce wrote:
> > So, it appears I'm missing some configuration in Mutt then, as it remains
> > as the PGP message without any attempt to get to the plain text. Also, how
> > do you get the plain text? I can verify the signature, but can't seem to
> > get the text out of the signature.
>
> Nevermind. I can do it manually, but I'm not sure what I'm missing with
> Mutt. Any Mutt users here that can help me out?
mutt handled the message without error here.
In addition to the settings from gpg.rc my .muttrc contains:
set pgp_use_gpg_agent = yes
set pgp_auto_decode = yes
(I use gpg version 2.0.14)
From marcio.barbado at gmail.com Sat Jul 23 00:56:42 2011
From: marcio.barbado at gmail.com (Marcio B. Jr.)
Date: Fri, 22 Jul 2011 19:56:42 -0300
Subject: OT: IM encryption options [was: Re: Is the OpenPGP model still
useful?]
In-Reply-To: <4E14B2CE.4050104@fifthhorseman.net>
References: <9B6DEDE3-309A-437E-A373-2166A3EE2951@sixdemonbag.org>
<20110428150505.GB4219@rio.matrix>
<4DBAB94B.9000600@sixdemonbag.org>
<4E14B2CE.4050104@fifthhorseman.net>
Message-ID:
Hello Daniel,
sorry for such a delay; this has been a wild JULY.
On Wed, Jul 6, 2011 at 4:09 PM, Daniel Kahn Gillmor
wrote:
> On 07/06/2011 01:28 PM, Marcio B. Jr. wrote:
>> So far, OTR adoption seems unjustifiable, really. I mean, it uses the
>> Diffie-Hellman key exchange method with block ciphers.
>
> Why does this seem unjustifiable to you? ?DH and block ciphers are
> widely-reviewed parts of the standard crypto toolkit. ?Do you have
> reason to believe they're generally bad?
It seems unjustifiable because there exists an option in which secret
keys need not to take risks. And if there's any security concern and
one's to choose between zero risk and any other positive-value risk,
it's reasonable to pick the former.
>> As of what I got from your (Robert) explanation plus some preliminary
>> conclusions of my studies, making use of asymmetric algos with OpenPGP
>> would be more coherent and secure, mathematically. Is it correct?
>
> Not all of these decisions should be made on purely mathematical
> grounds. ?Consider, for example, pidgin's old GPG plugin (i dont know
> whether it is still in use or under development)
>
> It worked by signing and encrypting each message before it was sent, and
> decrypting and verifying each response.
>
> However, IM messages tend to be heavily context-dependent, which makes
> them vulnerable to replay attacks.
No secret key can ever be intercepted or shared.
> For example, how many times have you written on IRC (or whatever IM
> network you use) the simple phrase "i agree"?
>
> If each message is individually signed and verified, it'd be relatively
> easy for an attacker to replay your "i agree" in another conversation,
> making it look like you agreed to something you hadn't actually agreed
> to. ?OTR's stream-based approach ensures that messages are only
> authenticated as part of a single, two-party conversation. ?There is no
> room for a replay attack.
I am obviously considering signing and encrypting.
> OTR also is designed so that a third-party (one not involved in the
> original communication can't conclusively prove that you wrote
> something. ?this is the "off the record" part of OTR. ?It's debatable
> how useful this so-called "repudiability" would be in, say, a court of
> law; but individually-signed messages clearly do *not* have this kind of
> repudiability; anyone in possession of one of these messages can
> convince any third party that you did in fact write the message.
There is secrecy sharing so maintenance of this repudiability's
effectiveness is not entirely up to you.
Regards,
Marcio Barbado, Jr.
From aaron.toponce at gmail.com Sat Jul 23 02:07:02 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Fri, 22 Jul 2011 18:07:02 -0600
Subject: secring and dropbox
In-Reply-To: <20110722193709.GA5656@hiro.matrix>
References: <8739i1wbjz.fsf@vigenere.g10code.de>
<20110720153916.GB7497@poseidon.cocyt.us>
<20110720165535.GD7497@poseidon.cocyt.us>
<4E276C53.8000906@freenet.edmonton.ab.ca>
<20110721142009.GG7497@poseidon.cocyt.us>
<4E2838FF.7070303@adversary.org>
<20110721231525.GH7497@poseidon.cocyt.us>
<20110721231727.GI7497@poseidon.cocyt.us>
<20110722193709.GA5656@hiro.matrix>
Message-ID: <20110723000702.GA9838@poseidon.cocyt.us>
On Fri, Jul 22, 2011 at 09:37:09PM +0200, Michel Messerschmidt wrote:
> set pgp_auto_decode = yes
Perfect! That was the variable I was looking for! Thanks!
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From aaron.toponce at gmail.com Sat Jul 23 02:17:10 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Fri, 22 Jul 2011 18:17:10 -0600
Subject: OT: IM encryption options [was: Re: Is the OpenPGP model still
useful?]
In-Reply-To:
References: <9B6DEDE3-309A-437E-A373-2166A3EE2951@sixdemonbag.org>
<20110428150505.GB4219@rio.matrix>
<4DBAB94B.9000600@sixdemonbag.org>
<4E14B2CE.4050104@fifthhorseman.net>
Message-ID: <20110723001710.GB9838@poseidon.cocyt.us>
On Fri, Jul 22, 2011 at 07:56:42PM -0300, Marcio B. Jr. wrote:
> Hello Daniel,
> sorry for such a delay; this has been a wild JULY.
>
>
> On Wed, Jul 6, 2011 at 4:09 PM, Daniel Kahn Gillmor wrote:
> > On 07/06/2011 01:28 PM, Marcio B. Jr. wrote:
> >> So far, OTR adoption seems unjustifiable, really. I mean, it uses the
> >> Diffie-Hellman key exchange method with block ciphers.
> >
> > Why does this seem unjustifiable to you? ?DH and block ciphers are
> > widely-reviewed parts of the standard crypto toolkit. ?Do you have
> > reason to believe they're generally bad?
>
> It seems unjustifiable because there exists an option in which secret
> keys need not to take risks. And if there's any security concern and
> one's to choose between zero risk and any other positive-value risk,
> it's reasonable to pick the former.
Are you familiar with the DH key exchange? It doesn't seem that you are.
There is no risk in sharing the private key between the two parties. It
basically goes like this:
Step 1: A generates the private key.
Step 2: A encrypts the private key with a one-time session key.
Step 3: A sends the encrypted private key to B.
Step 4: B encrypts the encrypted private key with his 1-time key.
Step 5: B sends the doubly-encrypted private key to A.
Step 6: A decrypts what he can with his one-time session key.
Step 7: A sends the resulting encrypted key to B.
Step 8: B decrypts the private key with his 1-time key.
B now has the private key.
The one-time session keys are never shared, but stored locally on the
machine. Once the DH key exchange finished, the session keys are destroyed.
No where in the exchange is there any risk of the private key being
compromised. A MITM can grab all the packets he likes. Unless he has one or
both session keys, he's not getting the private key.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: Digital signature
URL:
From kloecker at kde.org Sat Jul 23 16:30:18 2011
From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=)
Date: Sat, 23 Jul 2011 16:30:18 +0200
Subject: gpg-agent automatically use passphrase for signing subkey?
In-Reply-To: <4E29579B.2090401@mac.com>
References:
<4E29579B.2090401@mac.com>
Message-ID: <201107231630.25752@thufir.ingo-kloecker.de>
On Friday 22 July 2011, Charly Avital wrote:
> Chris Poole
>
>
> wrote on 7/22/11 10:38:39 AM:
> > On Thu, Jul 21, 2011 at 5:30 PM, Charly Avital
wrote:
> >> When your passphrase has been cached for each of those *actions*,
> >> it will remain in gpg-agent's "memory" for the duration of the
> >> cache set in your home directory ~/.gnupg/gpg-agent.conf
> >
> > That's a shame, but thanks.
>
> Shame?
> I find it very convenient.
You think it's convenient that you have to enter the same passphrase
twice, once when you want to sign something and then again when you want
to decrypt something?
There are surely use cases for this, but for someone like me who is
using gpg on a computer (resp. account) nobody else has (physical)
access to it's just an annoyance (albeit a minor one).
There is already the option --ignore-cache-for-signing (curiously the
corresponding option for decryption is missing, i.e. it's not possible
to use the cache for signing but not for decryption), so why not add
another option like --share-signing-and-decryption-cache? (I guess, if I
really wanted this I should provide a patch. :-) )
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL:
From richard at r-selected.de Sat Jul 23 16:48:52 2011
From: richard at r-selected.de (Richard)
Date: Sat, 23 Jul 2011 16:48:52 +0200
Subject: gpg-agent automatically use passphrase for signing subkey?
In-Reply-To: <4E285423.60702@mac.com>
References:
<4E283ACF.1020600@mac.com>
<4E285423.60702@mac.com>
Message-ID:
As far as I know every subkey holds its own passphrase (per default,
they are all identical for a given primary key). This means that
passphrase requests are actually not action-based, but key-based.
Please correct me if I'm wrong. :)
Richard
From edmond at systemli.org Sat Jul 23 16:19:57 2011
From: edmond at systemli.org (Edmond)
Date: Sat, 23 Jul 2011 16:19:57 +0200
Subject: Primary Key Security, Old DSA Key
Message-ID: <4E2AD88D.8070409@systemli.org>
Hello everyone,
one of my keys (the one I'm signing this message with) was created a
while back and uses a 1024 bit DSA primary key. For encryption I'm using
a 4096 bit RSA subkey, and for singing a 2048 bit DSA subkey (due to the
smaller signature).
gpg2 --list-packets for my primary key and the encryption subkey spawns:
iter+salt S2K, algo: 3, SHA1 protection, hash: 2, salt: ...
protect count: 96
and for my signing key:
iter+salt S2K, algo: 3, SHA1 protection, hash: 2, salt: ...
protect count: 161
The 'protect count' of my signing key is higher as it was created using
a relatively new version of GnuPG 2 on a newer CPU.
An OpenPGP S2K count of 96 implies 65536 rounds. On my mobile computer,
gpg-connect-agent 'getinfo s2k_count' /bye
calculates 1102848 rounds; and on my desktop computer the number is
almost four times as big. Hence I will soon increase the number of
protection rounds to improve my secret key security, or even move those
keys to a smartcard.
But since AFAIK both 1024 bit DSA and SHA1 hashes are not recommended
for use anymore (at least in new systems), I was wondering if I should
issue a new primary key. What would you recommend? I have no signatures
collected on my primary key (except my own).
Since my encryption subkey is using a current algorithm/key length, my
enrypted messages should be save regardless of the primary key's
security, right? I.e., the worst thing that could happen is that someone
issues new subkeys that claim to belong to my primary key when they
actually don't. Is that correct?
Thanks,
Edmond
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 344 bytes
Desc: OpenPGP digital signature
URL:
From rjh at sixdemonbag.org Sat Jul 23 18:24:14 2011
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 23 Jul 2011 12:24:14 -0400
Subject: Primary Key Security, Old DSA Key
In-Reply-To: <4E2AD88D.8070409@systemli.org>
References: <4E2AD88D.8070409@systemli.org>
Message-ID: <4E2AF5AE.8060907@sixdemonbag.org>
On 7/23/11 10:19 AM, Edmond wrote:
> But since AFAIK both 1024 bit DSA and SHA1 hashes are not recommended
> for use anymore (at least in new systems), I was wondering if I should
> issue a new primary key.
This is impossible to answer, since we don't know exactly what threats
you're facing. However, it's worth pointing out that you're correct:
most of us no longer recommend DSA-1K or SHA-1 *for new systems*.
Speaking personally, just for myself, I have not seen any instances
where I thought someone who used DSA-1K needed to switch algorithms
immediately.
It's probably a good idea to migrate to a new certificate *sometime*.
If right now is a convenient time for you to do it, then sure, go for
it. But there's no rush.
With respect to which algorithms to use... use GnuPG's defaults (RSA-2K
right now, I believe). You don't need to tweak GnuPG in order to get a
very high level of assurance from it. :)
> I.e., the worst thing that could happen is that someone
> issues new subkeys that claim to belong to my primary key when they
> actually don't. Is that correct?
Almost. The worst that could happen is someone could issue signatures
and pretend they're from you. But if SHA-1 falls that far, well, we're
all going to have a whole lot of problems above and beyond just that. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL:
From lists at chrispoole.com Sat Jul 23 18:32:44 2011
From: lists at chrispoole.com (Chris Poole)
Date: Sat, 23 Jul 2011 17:32:44 +0100
Subject: gpg-agent automatically use passphrase for signing subkey?
In-Reply-To: <201107231630.25752@thufir.ingo-kloecker.de>
References:
<4E29579B.2090401@mac.com>
<201107231630.25752@thufir.ingo-kloecker.de>
Message-ID:
2011/7/23 Ingo Kl?cker